On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia@gmail.com> wrote:
Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc.
There is active work with vendors (3 or 4 of the folk you may even use?) to support ssh with ssh-certificates, I believe this mostly works today, though configuring it and distributing your ssh-ca-cert may be fun... There are also fairly clear paths to get ssh-keys (rsa, ecdsa) working for user-auth on those same 4 vendors. you will, of course, want some method to manage user-owned-key-material and distribution/rotation of that material to the network. You CAN enable 'key authentication' and have tac+ authorization/accounting still on the numbered vendors from above as well. -chris