TACACS+ server recommendations?
Simon Leinen
simon.leinen at switch.ch
Thu Sep 21 09:40:11 UTC 2023
Christopher Morrow writes:
> On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia at gmail.com> wrote:
>>
>> Router operating systems still typically use only passwords with
>> SSH, then those devices send the passwords over that insecure channel. I have yet to
>> see much in terms of routers capable to Tacacs+ Authorize users based on users'
>> openSSH certificate, Public key id, or ed2559-sk security key id, etc.
> There is active work with vendors (3 or 4 of the folk you may even
> use?) to support
> ssh with ssh-certificates, I believe this mostly works today, though
> configuring it and
> distributing your ssh-ca-cert may be fun...
Ahem... Cisco supports SSH authentication using *X.509* certificates.
Unfortunately this is not compatible with OpenSSH (the dominant SSH
client implementation we use), which only supports *OpenSSH*
certificates.
Not sure about other vendors, but when we found this out we decided that
this wasn't a workable solution for us.
--
Simon.
More information about the NANOG
mailing list