Re: TACACS+ server recommendations?

[Jim <mysidia () gmail com>]

On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog () nanog org>
wrote:

> > https://www.shrubbery.net/tac_plus/
> That tac_plus has python 2 dependencies and so has been removed from
> Debian packages. That's not surprising given the last update was 2015 and
> Python 2 was EOL in 2020: https://www.python.org/doc/sunset-python-2/

Currently I favor this one which is still being actively developed:
> https://www.pro-bono-publico.de/projects/tac_plus.html


Yes.   Well, on the plus side the TACACS protocol has not really changed in
30 years,
Even the 2015 code could work provided you can compile its dependencies
from sources, right...

On the downside, for the command authorization use:
TACACS+ provides little protection for messages between client and server;

The protocol's MD5 crypto is so weak that routers using TACACS+ for
authentication
might as well just be piping over user credentials in the clear: it's
barely any better.

Router operating systems still typically use only passwords with
SSH, then those devices send the passwords over that insecure channel.  I
have yet to
see much in terms of routers capable to Tacacs+ Authorize  users based on
users'
openSSH certificate, Public key id,  or  ed2559-sk security key id, etc.

In short..  unless you got a VPN or a dedicated secure link from every
single device to
its Tacacs server or an Experimental   implementation of TACACS+ over  TLS:
I would suggest consider Using tools or scripts to distribute users and
Authorizing configurations to
devices as local authorization through secure protocols as favorable to
those network authentication systems
that transmit sensitive decisions and user data across the network using
Insecure protocols.

-- 
-Jim