[j-nsp] Password Recovery

Thomas Salmen tsalmen at orcon.net.nz
Sun Nov 27 21:04:36 EST 2005 


> 
> On Mon, Nov 28, 2005 at 12:53:53PM +1300, Thomas Salmen wrote:
> >
> > Greetings all,
> >
> > Is there some way to disable the password recovery process, as detailed
> > here?
> >
> > http://juniper.cluepon.net/index.php/Password_recovery
> >
> > I want to make sure that there is no way someone with physical access to
> the
> > box can view or change the configuration - I'd rather the config were
> > destroyed than risk someone playing with it.
> >
> > Is this possible?
> 
> The Juniper way to do this is to enable FIPS mode:
> 
> http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-
> FIPS/html/FIPS-mode2.html
> 
> > Local passwords are encrypted using HMAC-SHA1. Password recovery is not
> > possible in JUNOS-FIPS. JUNOS-FIPS cannot boot into single-user mode
> > without the correct root password.
> 
> Of course anyone with physical access who really wants to see your config
> can just pull the routing engine, yank out the CF and hard drive, and load
> it up into an external machine. AFAIK there is no mechanism to encrypt (or
> even obscure from casual examination, which is really the best you could
> hope for) the entire config or the config filesystems.
> 
> Don't forget that configs can be stored in two places, /config AND
> /altconfig, I can't tell you how many configs (complete with passwords)
> I've come across this way from old routers and returned leases, from folks
> like AOL, Cogent, CW, Exodus, Netrail, Teleglobe, Telocity, Verio, etc. :)
> 
> Besides if you were really paranoid you would rig an explosive to go off
> when the RE is pulled out or something. :)
> 

I should have mentioned this in my original post: this box is actually a
J-series in a not-completely-secure customer/POP site. Due to some
"irregular" peering filters employed by transit providers at this location,
changes to protocols config could theoretically cause problems at other
locations. 

Peering sessions are password protected, and I'm hoping that nobody onsite
will be sufficiently interested to actually go to the extent of pulling the
router apart. I don't know a great deal about the J-series physical
construction - I assume that config is stored on internal flash rather than
a CF card or hard drive? I'd be happy turning off single-user booting (if
this can be done, I don't know much about BSD or the junos shell), to be
honest, and relying on potential intruder disinterest in taking things
further.

Ideally I'd like to have a standard secure installation that I can stamp out
for J-series boxes going to remote locations where we don't have a staff
presence. We control physical access to all our M-series boxes sufficiently
to not need to take such drastic measures, thankfully :)


Cheers,
Thomas

More information about the juniper-nsp mailing list