-
Notifications
You must be signed in to change notification settings - Fork 33
TACACS_PLUS SSH Certificate Authentication
In retrospect, the original proposal looks like a bad idea, even if it looks trivial to implement.
A way better move would be to use RfC 7055: A GSS-API Mechanism for the Extensible Authentication Protocol for SSH and let SSHD forward the EAP packets to an EAP-capable TACACS+ server. TACACS+ packet sizes should be large enough to encapsulate EAP (it's just the AUTHEN START packet that's somewhat limited, but it would only be needed to trigger the Authenticator to send an ID request, the other AUTHEN packet types come with a maximum length that perfectly fits the maximum length of an EAP packet).
That's basically pretty similar to RADIUS Extension for Certificate-based SSH Authentication, please have a look at the OPSAWG mail archive for discussion details.
Quite a lot of that code actually exists: Moonshot provides a GSS-API implementation, and moving that on to TACACS+ looks viable.
Old text below.
----8<---- CUT HERE ----8<----
This is a logical extension of the current TACACS+ standard. This document isn't well-formatted, and there's likely an issue with referring OpenSSH formats that aren't covered by an RfC.
Please note that this protocol extension is not a standard by itself. However, it suites RFC8907 with a minimum of changes, and the spec below is just about 50 lines of text.
I grant the BCP78/BCP79 (or whatever is required) rights to the IETF and I'd appreciate if this approach would end up in an RfC.
tac_plus-ng fully supports TAC_PLUS_AUTHEN_TYPE_SSHCERT. Also, the tac_apc.pl script, which is part of the GIT too, provides a suitable AuthorizedPrincipalsCommand for OpenSSH, as a proof of concept.
-- Marc Huber Marc.Huber@web.de
The basic motivation behind this is that certificate based authentication is desirable for various NOC/OPs environments.
The proposed solution to this issue is:
A new authen_type value is required to support SSH User Certificate authentication:
TAC_PLUS_AUTHEN_TYPE_SSHCERT := 0x09
The "5.4.2. Common Authentication Flows" section of RFC8907 is augmented:
SSH Certificate Login
action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_SSHCERT
minor_version = 0x1The entire exchange MUST consist of a single START packet and a single REPLY. The START packet MUST contain a username and the data field MUST contain the SSH client's certificate key-id. The REPLY from the daemon MUST be either a PASS, FAIL or ERROR. In case of a PASS, the data field of the response SHOULD contain AuthorizedPrincipalsFile (see the sshd man page for details) compatible output.
For Authorization and Accounting, the authen_method
TAC_PLUS_AUTHEN_METH_TACACSPLUS
MUST be used.