6.10.1.6 Ensure Strong Ciphers are set for SSH

Information

SSH should be configured with strong ciphers

Rationale:

SSH (Secure Shell) is the defacto standard protocol used for remote administration of network devices and Unix servers, providing an encrypted and authenticated alternative to Telnet. However, this ubiquity and requirement to support a wide range of clients and deployment scenarios, as well as SSH's age, mean SSH needs to support a variety of Ciphers of varying strengths.

By default, for the widest range of client compatibility, JUNOS supports SSH Ciphers using older Encryption Algorithms such as Blowfish or RC4 which are no longer considered suitable for use to protect sensitive services like SSH.

SSH is a vital tool for administering most JUNOS devices, providing privileged access and potentially transporting sensitive information including passwords. It is recommended that SSH sessions be protected by restricting JUNOS to using stronger Ciphers based on 3DES and AES only.

Solution

To remove a single insecure cipher, issue the following command from the [edit system services ssh] hierarchy;

[edit system services ssh]
user@host#delete ciphers <cipher suite name>

If multiple insecure Ciphers were set, it will generally be easier to delete all the Cipher restrictions with the following command:

[edit system services ssh]
user@host#delete ciphers

Once all insecure Ciphers have been removed, add one or more stronger Ciphers (in this example all stronger Ciphers available on most JUNOS devices are set in a single command)

[edit system services ssh]
user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr [email protected] aes192-cbc aes192-ctr aes256-cbc aes256-ctr [email protected] ]

Note - note all of the Ciphers in the example above are supported on all JUNOS devices.
In many cases the GCM mode AES ciphers may be unavailable, a shorter list of Ciphers may be set with the following command for these systems:

[edit system services ssh]
user@host#set ciphers [ 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr ]

Finally, single Ciphers or a smaller selection of these more secure Ciphers may be selected on the user's discretion.

[edit system services ssh]
user@host#set ciphers <cipher suite name>

Default Value:

For most platforms SSH access is enabled by default but ciphers are not restricted.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 704216a0bc557c4b52d567b3f8c58c42f180615590bc4815b49974552399b017