On Thu, Sep 21, 2023 at 4:40 AM Simon Leinen <simon.leinen@switch.ch> wrote:
Ahem... Cisco supports SSH authentication using *X.509* certificates. Unfortunately this is not compatible with OpenSSH (the dominant SSH
It's not a great solution, but it is certainly a solution. The feature exists for some routers/switch models running certain licenses/images... an existing 200 NE network is not likely to have the feature 100% available by accident, though. On the other hand: the strategy of using local auth on devices and having a few local users with specific privilege levels, and centralized systems that manage the ones creds for all normal day-to-day usage: Storage and frequent automatic rotation of passwords, and when an operator needs to login: the central system authorize a privileged User to access, Either "check out" a device using AAA to decide who can check out which devices, Or users run their SSH sessions through centralized connection managers (Acting as a man-in-the-middle authenticating to devices using its own credentials. Authorizing user commands proxied through the server) - Allows AAA and command authorization to be performed by the central server. My understanding is a good number of password manager products exists which will handle that, and then the only AAA which network devices need to be concerned about for Authentication and Authorization is Basic password auth, which all equipment supports. And the security problems don't arise so much for using the TACACS+ / Tac_plus service Solely for Accounting (in addition to basic remote syslog). client implementation we use), which only supports *OpenSSH*
certificates.
-- -Jim