Christopher Morrow writes: > On Wed, Sep 20, 2023 at 1:22 PM Jim <mysi...@gmail.com> wrote: >> >> Router operating systems still typically use only passwords with >> SSH, then those devices send the passwords over that insecure channel. I >> have yet to >> see much in terms of routers capable to Tacacs+ Authorize users based on >> users' >> openSSH certificate, Public key id, or ed2559-sk security key id, etc.
> There is active work with vendors (3 or 4 of the folk you may even > use?) to support > ssh with ssh-certificates, I believe this mostly works today, though > configuring it and > distributing your ssh-ca-cert may be fun... Ahem... Cisco supports SSH authentication using *X.509* certificates. Unfortunately this is not compatible with OpenSSH (the dominant SSH client implementation we use), which only supports *OpenSSH* certificates. Not sure about other vendors, but when we found this out we decided that this wasn't a workable solution for us. -- Simon.
