[j-nsp] Password Recovery

Richard A Steenbergen ras at e-gerbil.net
Sun Nov 27 20:35:28 EST 2005


On Mon, Nov 28, 2005 at 12:53:53PM +1300, Thomas Salmen wrote:
> 
> Greetings all,
> 
> Is there some way to disable the password recovery process, as detailed
> here?
> 
> http://juniper.cluepon.net/index.php/Password_recovery
> 
> I want to make sure that there is no way someone with physical access to the
> box can view or change the configuration - I'd rather the config were
> destroyed than risk someone playing with it.
> 
> Is this possible?

The Juniper way to do this is to enable FIPS mode:

http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-FIPS/html/FIPS-mode2.html

> Local passwords are encrypted using HMAC-SHA1. Password recovery is not 
> possible in JUNOS-FIPS. JUNOS-FIPS cannot boot into single-user mode 
> without the correct root password.

Of course anyone with physical access who really wants to see your config 
can just pull the routing engine, yank out the CF and hard drive, and load 
it up into an external machine. AFAIK there is no mechanism to encrypt (or 
even obscure from casual examination, which is really the best you could 
hope for) the entire config or the config filesystems.

Don't forget that configs can be stored in two places, /config AND 
/altconfig, I can't tell you how many configs (complete with passwords) 
I've come across this way from old routers and returned leases, from folks 
like AOL, Cogent, CW, Exodus, Netrail, Teleglobe, Telocity, Verio, etc. :)

Besides if you were really paranoid you would rig an explosive to go off 
when the RE is pulled out or something. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list