-
Notifications
You must be signed in to change notification settings - Fork 33
TACACS_PLUS SSH Certificate Authentication
This is a logical extension of the current TACACS+ standard. This document isn't well-formatted, and there's likely an issue with referring OpenSSH formats that aren't covered by an RfC.
Please note that this protocol extension is not a standard by itself. However, it suites RFC8907 with a minimum of changes, and the spec below is just about 50 lines of text.
I grant the BCP78/BCP79 (or whatever is required) rights to the IETF and I'd appreciate if this approach would end up in an RfC.
tac_plus-ng fully supports TAC_PLUS_AUTHEN_TYPE_SSHCERT. Also, the tac_apc.pl script, which is part of the GIT too, provides a suitable AuthorizedPrincipalsCommand for OpenSSH, as a proof of concept.
-- Marc Huber Marc.Huber@web.de
The basic motivation behind this is that certificate based authentication is desirable for various NOC/OPs environments.
The proposed solution to this issue is:
A new authen_type value is required to support SSH User Certificate authentication:
TAC_PLUS_AUTHEN_TYPE_SSHCERT := 0x09
The "5.4.2. Common Authentication Flows" section of RFC8907 is augmented:
SSH Certificate Login
action = TAC_PLUS_AUTHEN_LOGIN
authen_type = TAC_PLUS_AUTHEN_TYPE_SSHCERT
minor_version = 0x1The entire exchange MUST consist of a single START packet and a single REPLY. The START packet MUST contain a username and the data field MUST contain the SSH client's certificate key-id. The REPLY from the daemon MUST be either a PASS, FAIL or ERROR. In case of a PASS, the data field of the response SHOULD contain AuthorizedPrincipalsFile (see the sshd man page for details) compatible output.
For Authorization and Accounting, the authen_method
TAC_PLUS_AUTHEN_METH_TACACSPLUS
MUST be used.