6.10.1.11 Ensure Strong Key Signing Algorithms are set for SSH

Information

SSH should be configured with strong key signing algorithms

Rationale:

SSH (Secure Shell) is the defacto standard protocol used for remote administration of network devices and Unix servers, providing an encrypted and authenticated alternative to Telnet. However, this ubiquity and requirement to support a wide range of clients and deployment scenarios, as well as SSH's age, mean SSH needs to support a variety of Ciphers of varying strengths.

By default, for the widest range of client compatibility, JUNOS supports SSH Key Signing methods using older algorithms and methods such as 1024 bit DSA keys.

SSH is a vital tool for administering most JUNOS devices, providing privileged access and potentially transporting sensitive information including passwords. It is recommended that SSH sessions be protected by restricting JUNOS to using stronger Key Signing methods based on RSA or Elliptic Curve algorithms, while weaker signing methods are explicitly disabled.

Solution

To explicitly disable DSA signatures, type the following command at the [edit system services ssh] hierarchy:

[edit system services ssh]
[email protected]#set hostkey-algorithm no-ssh-dss

Enable one or more stronger ciphers using the following commands:

[edit system services ssh]
[email protected]#set hostkey-algorithm ssh-ecdsa
[email protected]#set hostkey-algorithm ssh-ed25519
[email protected]#set hostkey-algorithm ssh-rsa

Default Value:

For most platforms SSH-ECDSA, SSH-ED25519, SSH-DSS (1024 bit DSA keys) and SSH-RSA are permitted by default.

SSH-DSS is not supported on JUNOS in FIPS Mode, so cannot be enabled in FIPS mode.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 03c929c7d71184af0f3668585c8eb54666e2657bd0851328f1298a1215f337fe