6.10.1.8 Ensure Strong MACs are set for SSH

Information

SSH should be configured with strong message authentication algorithms.

Rationale:

SSH (Secure Shell) is the defacto standard protocol used for remote administration of network devices and Unix servers, providing an encrypted and authenticated alternative to Telnet. However, this ubiquity and requirement to support a wide range of clients and deployment scenarios, as well as SSH's age, mean SSH needs to support a variety of Ciphers of varying strengths.

By default, for the widest range of client compatibility, JUNOS supports SSH Message Authentication using older algorithms and methods designed with performance rather than security in mind such as HMAC-MD5 or UMAC-128.

SSH is a vital tool for administering most JUNOS devices, providing privileged access and potentially transporting sensitive information including passwords. It is recommended that SSH sessions be protected by restricting JUNOS to using stronger Message Authentication Code (MAC) methods based on the more modern SHA2 algorithm.

Solution

To remove a single insecure MAC method, issue the following command from the [edit system services ssh] hierarchy;

[edit system services ssh]
[email protected]#delete macs <mac name>

If multiple insecure MAC methods were set, it will generally be easier to delete all the MAC method restrictions with the following command:

[edit system services ssh]
[email protected]#delete macs

Once all insecure MAC methods have been removed, add one or more stronger MACS (in this example all stronger MACS available on most JUNOS devices are set in a single command)

[edit system services ssh]
[email protected]#set macs [ hmac-sha2-256 [email protected] hmac-sha2-512 [email protected] ]

Finally, single MAC methods or a smaller selection of these more secure MACs may be selected on the users discretion.

[edit system services ssh]
[email protected]#set macs <mac name>

Default Value:

For most platforms SSH access is enabled by default but macs are not restricted.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 69634bc125db82707d714179a54ec735a76739ed9c41f1a8937ce2580846a772