nanog mailing list archives
Re: TACACS+ server recommendations?
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 20 Sep 2023 22:07:42 -0400
On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia () gmail com> wrote:
Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc.
There is active work with vendors (3 or 4 of the folk you may even use?) to support ssh with ssh-certificates, I believe this mostly works today, though configuring it and distributing your ssh-ca-cert may be fun... There are also fairly clear paths to get ssh-keys (rsa, ecdsa) working for user-auth on those same 4 vendors. you will, of course, want some method to manage user-owned-key-material and distribution/rotation of that material to the network. You CAN enable 'key authentication' and have tac+ authorization/accounting still on the numbered vendors from above as well. -chris
Current thread:
- TACACS+ server recommendations? Bryan Holloway (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Jeff Moore (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Mike Lewinski via NANOG (Sep 20)
- Re: TACACS+ server recommendations? Jim (Sep 20)
- Re: TACACS+ server recommendations? Warren Kumari (Sep 20)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 20)
- Re: TACACS+ server recommendations? Simon Leinen (Sep 21)
- Re: TACACS+ server recommendations? Jim (Sep 21)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)
- RE: TACACS+ server recommendations? Kevin Burke via NANOG (Sep 22)
- Re: TACACS+ server recommendations? Tim Burke (Sep 22)
- Re: TACACS+ server recommendations? Mike Lewinski via NANOG (Sep 22)
- Re: TACACS+ server recommendations? J. Hellenthal via NANOG (Sep 23)
- Re: TACACS+ server recommendations? Alberto Vargas (Sep 23)
- Re: TACACS+ server recommendations? Jeff Moore (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)
- Re: TACACS+ server recommendations? Bernhard Schmidt (Sep 25)