Controlling Root Authentication

Problem

When you first installed your router, you created a password for the root user (see Recipe 1.1). With this initial configuration, anyone who knows the root password can log in to the router using Telnet. You want to make the root login more secure.

Solution

There are two solutions, depending on the desired level of security. One solution is to use SSH for the root password. You can specify the root password in plain text as you are configuring the router:

[edit] root@router1# set system root-authentication ssh $1991poppI

You can also load an SSH key file from a server:

[edit] aviva@router1# set system root-authentication load-key-file server1:/homes/aviva /.ssh/id_dsa.pub .file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100% aviva@router1# show system { root-authentication { ssh-rsa "1024 35 9727638204084251055468226757249864241630322207404962528390382038690141584534964170019 6106083587229615634757849182736033612764418742659468932077391083448101268312595772262 5461667999278316123500438660915866283822489746732605661192181489539813965561563786211 94032768780653816960202749164163735913269396344008443 root@mynetwork.com"; # SECRET- DATA } }

The second solution for providing root authentication forces the root user to log in using the router's console port:

[edit system] aviva@router1# set services ssh root-login deny

 

Discussion

There are two schools of thought about root access to the router. One suggests using SSH for the root password because SSH is more secure than using just the password you initially configured on the router. SSH provides inband access to the router, meaning that the root user can log in from anywhere in the network, especially if the router is part of a service provider network. A second school of thought suggests disabling SSH access for root altogether, forcing the root user to log in on the router's console port. Access using the console port is assumed to be secure in that you must be on the company's internal network to even have access to the console port.

Generally, there's very little reason to provide access to the root login inband, so unless you really need this on your network, for strict security you should not provide root SSH access.

If you use SSH to authenticate the root password, you need to first enable SSH services on the router and be running SSH on your server.

This first command in this recipe sets the root's SSH password by entering it directly in plain text in the router's configuration file. When you use the show command to view the configuration, you see only an encrypted version of the password. The second command copies an SSH key file from a server. After you type the command, the contents of the key file are immediately copied into the configuration file.

Any SSH password you set is in addition to the plain-text password. You should leave a local root password on the router so you can log in using the console port.

The second command in this recipe disables SSH for the root user altogether. Anyone needing to log in to the router as root must log in through the router's console. The reason for doing this is not so much that you want the root user to come in to the router through the console, but rather that you want him to log in using an individual account and then exit to the shell and use the su command to become root only if he needs to. There are two reasons for this. First, you want to avoid habitual use of the root account. Logging in with root is like running with scissors: there are lots of ways to hurt yourself. It's much better to get in the habit of using a nonroot account and su only when required. Second, and more importantly, you want to maintain accountability. If you log in to a router, su to root, and then do something horrible, there will be an audit trail to trace the source of the problem. However, if you had logged in as root in the first place, the action wouldn't be traceable to an individual router user.

See Also

Recipe 2.3

Категории