Root-Authentication - Juniper JUNOS 8.x / 9.x / 10.x

6. System

6.10 Root-Authentication

The Root account provides full access to the Juniper router and to the underlying BSD OS. An attacker gaining access to this user account would gain complete control of the

130 | P a g e

6.10.1 Require Root Password (Level 1, Scorable)

Description:

A Root Password should be set for the system. Passwords are stored, automatically by JUNOS, as a SHA1 hash in the configuration under the [edit system root-

authentication] hierarchy.

Rationale:

Access to the Root user account should be restricted by setting a strong password which is encrypted in the configuration file to prevent it being revealed from backups or other sources.

Remediation:

Users will generally be prompted to set the Root password during initial setup of the router, however, a password may be set from the CLI using either of the two methods below from the [edit system] hierarchy;

To enter a new Root Password in plain text type:

[edit system]

user@host#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a SHA1 hash of the Password to the configuration.

If you already have a SHA1 hash of your Root Password (from an existing router configuration, for example), enter the following command:

[edit system]

user@host#set root-authentication encrypted-password “<SHA1 hash>”

If JWEB is installed on your router, the Root Password may also be changed through the

Configuration > Quick Configuration > Setup page.

Audit:

From the command prompt, execute the following command:

[edit]

user@host#show system root-authentication

131 | P a g e

encrypted-password "<encrypted password>";

Default Value:

None.

References:

None.

6.10.2 Require Complex Root Password (Level 1, Not Scorable)

Description:

A Complex Root Password should be set for the system.

Rationale:

Due to the importance of the Root user account a complex password should be employed to help prevent attackers employing ‘brute force’ or ‘dictionary’ attacks to gain full control of the router.

Passwords are stored, automatically by JUNOS, as a SHA1 hash in the configuration under the [edit system root-authentication] hierarchy.

A complex password should be employed which meets or exceeds the following requirements;

- Does not contain Dictionary words, names, dates, phone numbers or addresses. - Is at least 8 characters in length.

- Contains at least one each of upper & lower case letters, numbers and special characters. - Avoids more then 4 digits or same case letters in a row.

Remediation:

To enter a new Root Password in plain text type:

[edit system]

user@host#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a SHA1 hash of the Password to the configuration.

If you already have a SHA1 hash of your Root Password (from an existing router configuration, for example), enter the following command:

132 | P a g e

[edit system]

user@host#set root-authentication encrypted-password “<SHA1 hash>”

If JWEB is installed on your router, the Root Password may also be changed through the

Configuration > Quick Configuration > Setup page.

Audit:

Because all Root Passwords are automatically stored by JUNOS as a SHA1 hash, which will always be 160bits long, it is not possible to confirm from the command line the complexity and length of the password used therefore this is not a scorable item.

Default Value:

None.

References:

1. Router Security Configuration Guide, Version 1.1b, Page 62, National Security Agency (NSA)

2. Payment Card Industry Data Security Standard (PCI DSS), Version 1.2, Requirement 8.5.10 and 8.5.11

6.10.3 Require Unique Root Password (Level 1, Not Scorable)

Description:

The Root Password should be unique on the system.

Rationale:

Due to the rights associated with the Root user account it must be protected at all costs to prevent malicious users taking ownership of the router.

Using the same or similar password for the Root User as is used, for example, to access the routers Console or Diagnostic ports presents a number of risks.

A user who is authorized to know one of these lesser passwords could abuse this

knowledge to login as Root, effectively performing a Vertical Escalation of Privileges attack. Further risks are presented by the lower level hashing algorithm used to protect other system passwords. Most of these utilize MD5, a demonstrably less secure protocol then SHA1 which used for the Root password. Theoretically an attacker could exploit the weaker hashing used on these lesser system passwords to recover the Root password, although this would still be difficult.

Finally, the Root password should not be reused on other systems, including other routers, and should be stored securely. If the Root Password was the same across all of the routers and other systems in your network, the compromise of one host could result in the

133 | P a g e

Remediation:

To enter a new Root Password in plain text type:

[edit system]

user@host#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a SHA1 hash of the Password to the configuration.

If you already have a SHA1 hash of your Root Password (from an existing router configuration, for example), enter the following command:

[edit system]

user@host#set root-authentication encrypted-password “<SHA1 hash>”

If JWEB is installed on your router, the Root Password may also be changed through the

Configuration > Quick Configuration > Setup page.

Audit:

Because all Root Passwords are automatically stored by JUNOS as a SHA1 hash, which will always be 160bits long, it is not possible to confirm the uniqueness of the Root Password.

Default Value:

None.

References:

1. http://en.wikipedia.org/wiki/Privilege_escalation

In document Juniper JUNOS 8.x / 9.x / 10.x (Page 129-133)