Title

The Juniper EX switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. (Cat II impact)

Discussion

Authentication for administrative (privileged level) access to the device is required at all times. An account is created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit must be added to the envelope as a record. Administrators must secure the credentials and disable access to the root account (if possible) when not needed for system administration functions. Junos does not have default passwords, and the root account cannot be renamed or disabled. The root account password must be saved in the same manner as the account of last resort.

Check Content

1. Review the Juniper EX configuration to determine if an account of last resort is configured. 2. Verify the username and password for the root account, and the account of last resort is contained within sealed envelopes and kept in a safe. Junos categorizes user accounts as "local" or "template", with the difference being the presence of an authentication stanza. Accounts with an authentication stanza are local because the administrator can log in without the need for an external AAA service. Accounts without an authentication stanza are templates that require external authentication. Verify only authorized account(s) have an authentication stanza. user@host> show configuration system login ... user <name> { ... <<< No authentication stanza for externally authenticated accounts } user <account of last resort username> { ... authentication { encrypted-password <password hash>; } } The authentication order must be configured to prefer external AAA, and "password" authentication can be omitted if required. If "password" is present, Junos will attempt password authentication upon external AAA authentication failure. This feature is useful if the account of last resort is required while external AAA remains reachable but is misconfigured and prevents successful logon. If "password" is not present, Junos will not fail over to local authentication unless there is a loss of connectivity with the external AAA service (e.g., timeout). Verify the authentication order prefers external AAA (first in the order). user@host> show configuration system authentication-order authentication-order [ <external AAA> password ] --or-- authentication-order <external AAA>; Verify that direct root logon is disabled. user@host> show configuration system services ssh <<< missing root-login directive inherits the default 'deny' protocol-version v2; ...<snip>... --or-- root-login deny; ...<snip>... If one local account does not exist for use as the account of last resort, this is a finding.

Fix Text

Configure the Juniper EX to only allow one local account for use as the account of last resort. 1. Enter configuration mode. 2. Configure the authorized account with an authentication stanza. 3. Configure the authentication order to prefer external AAA. 4. Configure SSH to deny root login. 5. Commit the configuration. user@host> configure user@host# set system login user <account of last resort username> authentication plain-text-password New password: <PW not echoed to screen> Retype new password: <PW confirmation not echoed to screen> user@host# delete system login user <not account of last resort username> authentication user@host# delete system services ssh root-login --or-- user@host# set system services ssh root-login deny user@host# set system authentication-order [ <external AAA> password ] --or-- user@host# set system authentication-order <external AAA> user@host# commit

Additional Identifiers

Rule ID: SV-253901r1082953_rule

Vulnerability ID: V-253901

Group Title: SRG-APP-000148-NDM-000346

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.