Specifying a “proxy” user for root

If you selected Juniper as the system type and added root as the account to use with the device, you are prompted to specify whether the root user account is allowed to log on using secure shell (ssh) connections.

You can disable secure shell (ssh) connections for root on Juniper devices by running the following command:

set system services ssh root-login deny

If you have disabled secure shell (ssh) connections for root and want to manage the password for the account, you must add a user name and password for an account that can open a secure shell connection on the target system.

The account name and password you specify becomes a “proxy” account used in place of the root account. The account used as the “proxy” for the root account must be able to open secure shell sessions on the target system, but no other special privileges are required. After the “proxy” account opens the secure shell connection, it gets its root privileges programmatically to perform administrative tasks on the target system.

If you are adding a “proxy” account to open secure shell sessions, you also have the option to have the password for this account managed by the Privileged Access Service. If you select Manage this credential for the proxy account, only the Privileged Access Service will know the password for the account from this point on. The managed password for the “proxy” account will not be available to any other applications or users.