Dear OPSAWG, Med, Joe, Arnaud.
We plan to specify how SSH keys may be transferred over TACACS+ protocol, with
idea that this specification document may be of interest to OPSAWG team to
enhance interoperability.
The approach was originally included in a general TACACS+ security document
that also included TLS transport, however it was determined that the two
subjects would best be handled by separate documents. The TLS part is
completed, so we return to the SSH key transfer part.
This note is intended to set the scope of the document. Based upon the feedback
of the scope, we will follow up with the first revision for the document itself.
1 Purpose:
(TLS) TACACS+ protocol extensions for transfer of public SSH Keys from the AAA
server to the AAA client
2 What will be specified:
*
How the fields in the Authorization packets are used:
*
by the TACACS+ AAA Client to request, the Keys,
*
by the TACACS+ AAA Server to encode the Keys,
*
how the flow will be coordinated and completed.
*
Description of TACACS+ Role in the complete AAA SSH session flow
(Authentication/Authorization/Accounting), and which phases are optional
3 Clarifications/Limitations
*
There is no intent to extend the actual SSH authentication out of the device
over TACACS+ to the AAA server. The authentication flow is purely for the
retrieval of the Keys. Consequently, other than abstaining from sharing the
publicly available materials, the authorization phase is the only step where
the TACACS+ Server may actually enact Policy Decision in the overall flow (as
now).
* There has been a previous call to including the distribution of other
material (Certs for HTTPS authentication), this option has been dropped after
further discussion.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
