nanog mailing list archives
Re: TACACS+ server recommendations?
From: Warren Kumari <warren () kumari net>
Date: Wed, 20 Sep 2023 11:37:19 -0700
On Wed, Sep 20, 2023 at 10:22 AM, Jim <mysidia () gmail com> wrote:
On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog () nanog org> wrote:https://www.shrubbery.net/tac_plus/That tac_plus has python 2 dependencies and so has been removed from Debian packages. That's not surprising given the last update was 2015 and Python 2 was EOL in 2020: https://www.python.org/doc/sunset-python-2/Currently I favor this one which is still being actively developed:https://www.pro-bono-publico.de/projects/tac_plus.htmlYes. Well, on the plus side the TACACS protocol has not really changed in 30 years, Even the 2015 code could work provided you can compile its dependencies from sources, right... On the downside, for the command authorization use: TACACS+ provides little protection for messages between client and server; The protocol's MD5 crypto is so weak that routers using TACACS+ for authentication might as well just be piping over user credentials in the clear: it's barely any better.
Yes, but there is current work in the IETF OpsAWG WG to help address this: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/ This work was actually started many years ago, but got sidetracked — there was no published standard for TACACS, and so we first published RFC8907 - "The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol" <https://datatracker.ietf.org/doc/rfc8907/>, and this new document largely says "Now just do that over TLS! kthxbye…" Hopefully this draft will progress soon… W
Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc. In short.. unless you got a VPN or a dedicated secure link from every single device to its Tacacs server or an Experimental implementation of TACACS+ over TLS: I would suggest consider Using tools or scripts to distribute users and Authorizing configurations to devices as local authorization through secure protocols as favorable to those network authentication systems that transmit sensitive decisions and user data across the network using Insecure protocols. -- -Jim
Current thread:
- TACACS+ server recommendations? Bryan Holloway (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Jeff Moore (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Mike Lewinski via NANOG (Sep 20)
- Re: TACACS+ server recommendations? Jim (Sep 20)
- Re: TACACS+ server recommendations? Warren Kumari (Sep 20)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 20)
- Re: TACACS+ server recommendations? Simon Leinen (Sep 21)
- Re: TACACS+ server recommendations? Jim (Sep 21)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)
- RE: TACACS+ server recommendations? Kevin Burke via NANOG (Sep 22)
- Re: TACACS+ server recommendations? Tim Burke (Sep 22)
- Re: TACACS+ server recommendations? Mike Lewinski via NANOG (Sep 22)
- Re: TACACS+ server recommendations? J. Hellenthal via NANOG (Sep 23)
- Re: TACACS+ server recommendations? Alberto Vargas (Sep 23)
- Re: TACACS+ server recommendations? Jeff Moore (Sep 20)
- Re: TACACS+ server recommendations? Mark Tinka (Sep 20)
- Re: TACACS+ server recommendations? Christopher Morrow (Sep 21)