Details
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Solution
Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below.
[edit system services]
set ssh protocol-version v2
set ssh macs [hmac-sha2-256 hmac-sha2-512]
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a user tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.
References
- 800-53|IA-2(8)
- CAT|II
- CCI|CCI-001941
- Rule-ID|SV-101229r1_rule
- STIG-ID|JUNI-ND-000530
- Vuln-ID|V-91129