6.6.12 Ensure SHA512 is used to hash local passwords

Information

Passwords should be hashed with a strong hashing algorithm.

Rationale:

Passwords for locally configured users are stored in the JUNOS configuration file.

By applying a hashing algorithm to the password before storing it, JUNOS limits an attacker's ability to gain passwords from configuration backups or to escalate privileges when using a different account through the CLI.

JUNOS hashes local passwords using MD5, or SHA1 for FIPS mode devices, by default. However, both are older algorithms and are widely considered to be weak for this type of usage.

The newer SHA-2 algorithm should be used with a 512bit digest wherever possible, however, some older but still supported JUNOS devices do not support this (see notes for more details).

Solution

Confirm that your device supports SHA-2 with 512bit hashes by issuing the following command from the [edit system login] hierarchy:

[edit system login]
user@host#set password format ?

The system should provide a range of options, such as in the example below which is for a system which does support SHA512:

[edit system login]
user@host# set password format ?
Possible completions:
md5 Message Digest 5
sha1 Secure Hash Algorithm 1
sha256 Secure Hash Algorithm 256 ($5$)
sha512 Secure Hash Algorithm 512 ($6$)
[edit system login]

Configure password hashing using the following command under the [edit system login] hierarchy:

[edit system login]
user@host#set login password format sha512

For systems which do not support SHA-2 with 512bit hashes, configure SHA-1 using the following command under the [edit system login] hierarchy:

[edit system login]
user@host#set login password format sha1

NOTE - SHA1 hashing should only be configured on systems which do not support SHA512.

Default Value:

For routers running JUNOS the default format is MD5. For routers running JUNOS FIPS the default is SHA1.

Additional Information:

Some currently supported platforms running the JTAC recommended release, such as some older SRX Branch devices (SRX100, 200, etc), do not support the SHA256 or SHA512 options.

If your JUNOS device does not support SHA512 or SHA256, the older SHA1 format should be used as a minimum.

For organizations with particular security concerns or where SHA1 does not meet regulatory/company policy requirements; it is recommended that you consider replacing these devices with newer equivalents which do support the stronger hashing algorithms, for example replacing an SRX200 with an SRX300 model.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: d52c0068620e6dcaca1de6f0420dbb3fa7f77ec32c12fd1e379a0ad1946791e3