nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TACACS+ server recommendations?

From: Simon Leinen <simon.leinen () switch ch>
Date: Thu, 21 Sep 2023 11:40:11 +0200
Christopher Morrow writes:

On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia () gmail com> wrote:


Router operating systems still typically use only passwords with
SSH, then those devices send the passwords over that insecure channel.  I have yet to
see much in terms of routers capable to Tacacs+ Authorize  users based on  users'
openSSH certificate, Public key id,  or  ed2559-sk security key id, etc.



There is active work with vendors (3 or 4 of the folk you may even
use?) to support
ssh with ssh-certificates, I believe this mostly works today, though
configuring it and
distributing your ssh-ca-cert may be fun...


Ahem... Cisco supports SSH authentication using *X.509* certificates.
Unfortunately this is not compatible with OpenSSH (the dominant SSH
client implementation we use), which only supports *OpenSSH*
certificates.

Not sure about other vendors, but when we found this out we decided that
this wasn't a workable solution for us.
-- 
Simon.
Previous By Date Next
Previous By Thread Next

Current thread: