On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <nanog@nanog. > wrote:org > https:// www. shrubbery. net/ tac_plus/
That tac_plus has python 2 dependencies and so has been removed from Debian packages. That's not surprising given the last update was 2015 and Python 2 was EOL in 2020: https:// www. python. org/ doc/ sunset-python-2/ Currently I favor this one which is still being actively developed: https:// www. pro-bono-publico. de/ projects/ tac_plus. html Yes. Well, on the plus side the TACACS protocol has not really changed in 30 years,Even the 2015 code could work provided you can compile its dependencies from sources, right...On the downside, for the command authorization use:TACACS+ provides little protection for messages between client and server;The protocol's MD5 crypto is so weak that routers using TACACS+ for authenticationmight as well just be piping over user credentials in the clear: it's barely any better.
Router operating systems still typically use only passwords withSSH, then those devices send the passwords over that insecure channel. I have yet tosee much in terms of routers capable to Tacacs+ Authorize users based on users'openSSH certificate, Public key id, or ed2559-sk security key id, etc.In short.. unless you got a VPN or a dedicated secure link from every single device toits Tacacs server or an Experimental implementation of TACACS+ over TLS:I would suggest consider Using tools or scripts to distribute users and Authorizing configurations todevices as local authorization through secure protocols as favorable to those network authentication systemsthat transmit sensitive decisions and user data across the network using Insecure protocols.---Jim