TACACS+ server recommendations?
Christopher Morrow
morrowc.lists at gmail.com
Thu Sep 21 02:07:42 UTC 2023
On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia at gmail.com> wrote:
>
> Router operating systems still typically use only passwords with
> SSH, then those devices send the passwords over that insecure channel. I have yet to
> see much in terms of routers capable to Tacacs+ Authorize users based on users'
> openSSH certificate, Public key id, or ed2559-sk security key id, etc.
There is active work with vendors (3 or 4 of the folk you may even
use?) to support
ssh with ssh-certificates, I believe this mostly works today, though
configuring it and
distributing your ssh-ca-cert may be fun...
There are also fairly clear paths to get ssh-keys (rsa, ecdsa) working
for user-auth on those
same 4 vendors.
you will, of course, want some method to manage user-owned-key-material and
distribution/rotation of that material to the network. You CAN enable
'key authentication' and
have tac+ authorization/accounting still on the numbered vendors from
above as well.
-chris
More information about the NANOG
mailing list