nanog mailing list archives
Re: TACACS+ server recommendations?
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 21 Sep 2023 12:23:47 -0400
On Thu, Sep 21, 2023 at 5:40 AM Simon Leinen <simon.leinen () switch ch> wrote:
Christopher Morrow writes:On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia () gmail com> wrote:Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc.There is active work with vendors (3 or 4 of the folk you may even use?) to support ssh with ssh-certificates, I believe this mostly works today, though configuring it and distributing your ssh-ca-cert may be fun...Ahem... Cisco supports SSH authentication using *X.509* certificates.
correct, we pointed this out a few times and ... they now also support ssh-certs. They also support HIBA extensions (https://github.com/google/hiba) and the stock hiba-chk which means you could potentially mint a certificate for your ops user that says: "Simon is authorized to login to DEVICEX only" (and or others, or not have this check... this is optional, but handy for me)
Unfortunately this is not compatible with OpenSSH (the dominant SSH client implementation we use), which only supports *OpenSSH* certificates.
yup, that's what we pointed out to them.. I think their answer was something like: "mumble, we implemented this for a single requesting organization... we THINK they use it?" unsure hwo they use it, but.. ok, sure. now there's openssh cert capability though. (I admit I can't make search on cisco's site work for me to find what version introduced this though, sorry)
Not sure about other vendors, but when we found this out we decided that this wasn't a workable solution for us.
it sure wasn't for a long time :( 3 of 4 vendors we deal with support openssh-certificates and hiba... almost all to the point were we could actually use it, which is nice. we have some pains on our side, they on theirs, but it's getting almost deployable.
Current thread:
- Re: TACACS+ server recommendations?, (continued)
- Re: TACACS+ server recommendations? Warren Kumari (Sep 20)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 20)
- Re: TACACS+ server recommendations? Simon Leinen (Sep 21)
- Re: TACACS+ server recommendations? Jim (Sep 21)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)
- RE: TACACS+ server recommendations? Kevin Burke via NANOG (Sep 22)
- Re: TACACS+ server recommendations? Tim Burke (Sep 22)
- Re: TACACS+ server recommendations? Mike Lewinski via NANOG (Sep 22)
- Re: TACACS+ server recommendations? J. Hellenthal via NANOG (Sep 23)
- Re: TACACS+ server recommendations? Alberto Vargas (Sep 23)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)
- Re: TACACS+ server recommendations? Bernhard Schmidt (Sep 25)