On Wed, Sep 20, 2023 at 10:22 AM, Jim <mysidia@gmail.com> wrote:
On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog@nanog.org> wrote:
https://www.shrubbery.net/tac_plus/ That tac_plus has python 2 dependencies and so has been removed from Debian packages. That's not surprising given the last update was 2015 and Python 2 was EOL in 2020: https://www.python.org/doc/sunset-python-2/
Currently I favor this one which is still being actively developed:
Yes. Well, on the plus side the TACACS protocol has not really changed in 30 years, Even the 2015 code could work provided you can compile its dependencies from sources, right...
On the downside, for the command authorization use: TACACS+ provides little protection for messages between client and server;
The protocol's MD5 crypto is so weak that routers using TACACS+ for authentication might as well just be piping over user credentials in the clear: it's barely any better.
Yes, but there is current work in the IETF OpsAWG WG to help address this: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/ This work was actually started many years ago, but got sidetracked — there was no published standard for TACACS, and so we first published RFC8907 - "The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol" <https://datatracker.ietf.org/doc/rfc8907/>, and this new document largely says "Now just do that over TLS! kthxbye…" Hopefully this draft will progress soon… W
Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc.
In short.. unless you got a VPN or a dedicated secure link from every single device to its Tacacs server or an Experimental implementation of TACACS+ over TLS: I would suggest consider Using tools or scripts to distribute users and Authorizing configurations to devices as local authorization through secure protocols as favorable to those network authentication systems that transmit sensitive decisions and user data across the network using Insecure protocols.
-- -Jim