6.9.3 Ensure SSH Key Authentication is not set for Root Login

Information

SSH Key Based Authentication should not be used for Root Login

Rationale:

Due to the sensitive nature of SSH, potentially allowing full management of the targeted device, protecting SSH access using strong authentication methods is essential to the security of the device.

One method which is supported in SSH for stronger authentication is the use of Public/Private Encryption Key Pairs in place of a more traditional login prompt for a Username and Password. Instead, an administrator uploads the user's Public key to the JUNOS (or other) device to be managed.

When the user connects, they will use their Private key to encrypt some session specific data. The JUNOS device can verify the Users identity by decrypting that data using the Public key configured previously and comparing it to an expected result. If the results match, then the user must have access to the Private key, so is considered valid.

Unfortunately using SSH Keys to authenticate User Logins to JUNOS devices introduce a number of security issues:

Public Keys may only be configured locally on each JUNOS device

Public Keys are used instead of centralized AAA using TACACS+ or RADIUS as covered in Recommendation 6.8.1 Ensure External AAA Server is set

The use of SSH Keys means only a single Authentication Factor (the keys) can be used, preventing the use of Multi Factor Authentication as covered in 6.6.14 Ensure Multi-Factor is used with External AAA

JUNOS does not provide any method to automate rollover or locking of keys. If keys are compromised/lost, they must be changed on every JUNOS device on which they are configured.

Some SSH implementation support the use of X.509 PKI Certificates for managing SSH Keys, but JUNOS does not.

Because of these limitations and the difficulty in auditing and managing SSH Keys on JUNOS devices, this method should not be used for Authentication of User logins or for the Root User, which is configured separately under the [edit system root-authentication] configuration hierarchy.

Solution

If SSH Key based Authentication is configured for the Root Authentication, remove it using the following command from the [edit system] hierarchy:

[edit system]
[email protected]# delete root-authentication

To set a new Root Password in plain text type:

[edit system]
[email protected]#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a hash of the Password to the configuration.
If you already have a hash of your Root Password (from an existing router configuration, for example), enter the following command:

[edit system]
[email protected]#set root-authentication encrypted-password '<hash>'

Note - Hashes use SHA1 by default, but may use other hashing mechanisms depending on the device configuration - ensure the device you are copying from is configured to use the same hashing method.
If JWEB is installed on your router, the Root Password may also be changed through the Configuration > Quick Configuration > Setup page.

Default Value:

The Root account does not have any authentication set by default, but at least one root-authentication method must be configured during initial configuration before JUNOS will allow the configuration to be committed.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2, 800-53|IA-2, 800-53|IA-2(1), CSCv7|4, CSCv7|11.5, CSCv7|16.2

Plugin: Juniper

Control ID: eb42e1e6ff55d40d72ef3b39ad0d137f55c56782b6087b66d3dbb6f5bc7bafad