TACACS+ server recommendations?

• Previous message (by thread): TACACS+ server recommendations?
• Next message (by thread): TACACS+ server recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia at gmail.com> wrote:
>
> Router operating systems still typically use only passwords with
> SSH, then those devices send the passwords over that insecure channel.  I have yet to
> see much in terms of routers capable to Tacacs+ Authorize  users based on  users'
> openSSH certificate, Public key id,  or  ed2559-sk security key id, etc.

There is active work with vendors (3 or 4 of the folk you may even
use?) to support
ssh with ssh-certificates, I believe this mostly works today, though
configuring it and
distributing your ssh-ca-cert may be fun...

There are also fairly clear paths to get ssh-keys (rsa, ecdsa) working
for user-auth on those
same 4 vendors.

you will, of course, want some method to manage user-owned-key-material and
distribution/rotation of that material to the network. You CAN enable
'key authentication' and
have tac+ authorization/accounting still on the numbered vendors from
above as well.

-chris

• Previous message (by thread): TACACS+ server recommendations?
• Next message (by thread): TACACS+ server recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]