Detections
Analytics
6.9.3 Ensure SSH Key Authentication is not set for Root Login
Information
SSH Key Based Authentication should not be used for Root LoginRationale:
Due to the sensitive nature of SSH, potentially allowing full management of the targeted device, protecting SSH access using strong authentication methods is essential to the security of the device.
One method which is supported in SSH for stronger authentication is the use of Public/Private Encryption Key Pairs in place of a more traditional login prompt for a Username and Password. Instead, an administrator uploads the user's Public key to the JUNOS (or other) device to be managed.
When the user connects, they will use their Private key to encrypt some session specific data. The JUNOS device can verify the Users identity by decrypting that data using the Public key configured previously and comparing it to an expected result. If the results match, then the user must have access to the Private key, so is considered valid.
Unfortunately using SSH Keys to authenticate User Logins to JUNOS devices introduce a number of security issues:
Public Keys may only be configured locally on each JUNOS device
Public Keys are used instead of centralized AAA using TACACS+ or RADIUS as covered in Recommendation 6.8.1 Ensure External AAA Server is set
The use of SSH Keys means only a single Authentication Factor (the keys) can be used, preventing the use of Multi Factor Authentication as covered in 6.6.14 Ensure Multi-Factor is used with External AAA
JUNOS does not provide any method to automate rollover or locking of keys. If keys are compromised/lost, they must be changed on every JUNOS device on which they are configured.
Some SSH implementation support the use of X.509 PKI Certificates for managing SSH Keys, but JUNOS does not.
Because of these limitations and the difficulty in auditing and managing SSH Keys on JUNOS devices, this method should not be used for Authentication of User logins or for the Root User, which is configured separately under the [edit system root-authentication] configuration hierarchy.
Solution
If SSH Key based Authentication is configured for the Root Authentication, remove it using the following command from the [edit system] hierarchy:[edit system]
user@host# delete root-authentication
To set a new Root Password in plain text type:
[edit system]
user@host#set root-authentication plain-text-password
You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a hash of the Password to the configuration.
If you already have a hash of your Root Password (from an existing router configuration, for example), enter the following command:
[edit system]
user@host#set root-authentication encrypted-password '<hash>'
Note - Hashes use SHA1 by default, but may use other hashing mechanisms depending on the device configuration - ensure the device you are copying from is configured to use the same hashing method.
If JWEB is installed on your router, the Root Password may also be changed through the Configuration > Quick Configuration > Setup page.
Default Value:
The Root account does not have any authentication set by default, but at least one root-authentication method must be configured during initial configuration before JUNOS will allow the configuration to be committed.
See Also
Item Details
Audit Name: CIS Juniper OS Benchmark v2.1.0 L1
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION
References: 800-53|AC-2, 800-53|IA-2, 800-53|IA-2(1), CSCv7|4, CSCv7|11.5, CSCv7|16.2
Plugin: Juniper
Control ID: eb42e1e6ff55d40d72ef3b39ad0d137f55c56782b6087b66d3dbb6f5bc7bafad