Junos
Highlighted
Junos

Junos Password and key storing hashes

‎01-20-2018 05:17 AM

Hi all ..

Junos stores the user login plaintext passowrds in the form hashes using MD-5 hashing algorith. Theses hashes are visible in configuration and starts with "$1$". On the other hand the TACACS+ / Radius Server key and VPN Pre-shared key are stored in reversible encyption hashes and these hashes starts with $9$ (Sample config att). The reversible encryption hashes are easily decrypted to origional keys using online available tools .

My question is what's the technical compulsion behind storing the authentication keys in reversible encryption hashes and is there a way to avoid this and use MD5 instead .. ?

 

Thanks

Attachments

2 REPLIES 2
Highlighted
Junos
Solution
Accepted by topic author ammad
‎01-20-2018 10:42 AM

Re: Junos Password and key storing hashes

‎01-20-2018 10:32 AM

This has already been handled from Junos 15.1X49-D50 and 16.2R1 for MX/QFX.

 

You can define a master password which then encrypt the $9$ strings. You can then only use the $9$ values if you know the master password.

More information here: https://www.juniper.net/documentation/en_US/junos/topics/concept/harden-shared-secrets.html

 

I hope this answers your question :-)


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
Junos

Re: Junos Password and key storing hashes

‎01-20-2018 10:43 AM

Thank You Jonashauge. Thats what i was looking for Smiley Happy