Juniper Hash Formats
When Junos stores passwords or secret values in configuration, it does so using a variety of different hash or encryption formats.
Reversibility
Some configured secrets need to be reversible - that is, Junos needs to use the original, unencrypted value. This is the case for things like BGP MD5 keys, or keys used for IPSec tunnels.
For some other purposes though, Junos never needs the original unencrypted value - only a hash is needed. Login passwords fall into this category - it can simply hash the value a user provides, and compare it to the hashed value stored in the configuration.
Security
When storing hashed secrets, Junos can use different algorithms. Some of these (like MD5) are insecure and easily crackable. In newer versions of Junos, more secure algorithms are used (along with salts) which make the credentials more time consuming to crack.
Hash Format | Algorithm | Reversible | Usage |
---|---|---|---|
$1$ | Salted MD5 Hash | No (easily crackable though) | Used for passwords. Default until Junos 12.3 |
$5$ | Salted SHA256 Hash | No | Used for passwords, from Junos 15.1 |
$6$ | Salted SHA512 Hash | No | Used for passwords, from Junos 17.2 |
$8$ | Yes (requires master password) | Used for secrets that Junos needs the cleartext for - thing IPSec keys | |
$9$ | Yes (obfuscated) | Used for secrets that Junos needs the cleartext for - thing IPSec keys. Trivialy reversible |
More about $8$
By default, when you configure things like BGP keys in Junos, it stores them using the $9$ format listed above. This only obfuscates the secret however. It’s trivial to reverse, you can even do it from the Junos CLI - request system decrypt password
.
There is an alternative though - if you set a “master password” in Junos, it will encrypt (not hash) the secrets. Junos itself has access to the master password, but it’s not stored in the configuration. So Junos can decrypt the encrypted $8$ secrets, but if someone just had the config, they would be unable to do so.
To set a master password in Junos, use set system master-password plain-text-password
. $9$ secrets should be converted to the encrypted $8$ format after this is done.
Juniper’s documentation covers more about this process here.