On Thu, Sep 21, 2023 at 5:40 AM Simon Leinen <simon.leinen@switch.ch> wrote:
Christopher Morrow writes:
On Wed, Sep 20, 2023 at 1:22 PM Jim <mysidia@gmail.com> wrote:
Router operating systems still typically use only passwords with SSH, then those devices send the passwords over that insecure channel. I have yet to see much in terms of routers capable to Tacacs+ Authorize users based on users' openSSH certificate, Public key id, or ed2559-sk security key id, etc.
There is active work with vendors (3 or 4 of the folk you may even use?) to support ssh with ssh-certificates, I believe this mostly works today, though configuring it and distributing your ssh-ca-cert may be fun...
Ahem... Cisco supports SSH authentication using *X.509* certificates.
correct, we pointed this out a few times and ... they now also support ssh-certs. They also support HIBA extensions (https://github.com/google/hiba) and the stock hiba-chk which means you could potentially mint a certificate for your ops user that says: "Simon is authorized to login to DEVICEX only" (and or others, or not have this check... this is optional, but handy for me)
Unfortunately this is not compatible with OpenSSH (the dominant SSH client implementation we use), which only supports *OpenSSH* certificates.
yup, that's what we pointed out to them.. I think their answer was something like: "mumble, we implemented this for a single requesting organization... we THINK they use it?" unsure hwo they use it, but.. ok, sure. now there's openssh cert capability though. (I admit I can't make search on cisco's site work for me to find what version introduced this though, sorry)
Not sure about other vendors, but when we found this out we decided that this wasn't a workable solution for us.
it sure wasn't for a long time :( 3 of 4 vendors we deal with support openssh-certificates and hiba... almost all to the point were we could actually use it, which is nice. we have some pains on our side, they on theirs, but it's getting almost deployable.