[OPSAWG]Re: TACACS+ extension for SSH keys Transfer

[Nils . Warnke=40telekom . de]

Hi Med,
Dear WG,

Many thanks for this. Yes, we are very interested in solving topic this and I 
am happy to support the draft as operator.

Regarding the limitations (Dropping scope for Certs for HTTPS authentication), 
I would be interested to understand the background. Maybe we could meet in 
Shenzhen to discuss?
Best regards,
Nils.
Deutsche Telekom Technik GmbH
Core Networks & First-Line Maintenance (T-CNF)
Lead Architect of DT IP Core Solution Architecture Board
Wolbecker Strasse 268, 48155 Münster
Mob.: +49 151 720 122 46
E-Mail: nils.war...@telekom.de<mailto:nils.war...@telekom.de>
www.telekom.de<http://www.telekom.de/>

[Ein Bild, das Schrift, Grafiken, Grafikdesign, Text enthält.  Automatisch 
generierte Beschreibung]

[StandortMünsterBanner]

Die gesetzlichen Pflichtangaben finden Sie unter:
www.telekom.de/pflichtangaben-dttechnik<http://www.telekom.de/pflichtangaben-dttechnik>

From: mohamed.boucad...@orange.com <mohamed.boucad...@orange.com>
Sent: Monday, March 9, 2026 9:26 AM
To: Douglas Gash (dcmgash) <dcmg...@cisco.com>; Joe Clarke (jclarke) 
<jcla...@cisco.com>; EBALARD Arnaud <arnaud.ebal...@ssi.gouv.fr>; Warnke, Nils 
<nils.war...@telekom.de>
Cc: John Heasley <h...@shrubbery.net>; Thorsten Dahm <thorsten.d...@gmail.com>; 
Andrej Ota <and...@ota.si>; opsawg@ietf.org
Subject: RE: TACACS+ extension for SSH keys Transfer

Hi Doug, all,

Thanks for the follow-up and sharing this proposal.

Adding Nils to have his feedback as well (as I know they are also interested to 
solve this).

Cheers,
Med

De : Douglas Gash (dcmgash) <dcmg...@cisco.com<mailto:dcmg...@cisco.com>>
Envoyé : vendredi 6 mars 2026 10:59
À : Joe Clarke (jclarke) <jcla...@cisco.com<mailto:jcla...@cisco.com>>; EBALARD 
Arnaud <arnaud.ebal...@ssi.gouv.fr<mailto:arnaud.ebal...@ssi.gouv.fr>>; 
BOUCADAIR Mohamed INNOV/NET 
<mohamed.boucad...@orange.com<mailto:mohamed.boucad...@orange.com>>; 
opsawg@ietf.org<mailto:opsawg@ietf.org>
Cc : John Heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>>; Thorsten 
Dahm <thorsten.d...@gmail.com<mailto:thorsten.d...@gmail.com>>; Andrej Ota 
<and...@ota.si<mailto:and...@ota.si>>
Objet : TACACS+ extension for SSH keys Transfer


... with slightly more appropriate subject.
Dear OPSAWG, Med, Joe, Arnaud.

We plan to specify how SSH keys may be transferred over TACACS+ protocol, with 
idea that this specification document may be of interest to OPSAWG team to 
enhance interoperability.

The approach was originally included in a general TACACS+ security document 
that also included TLS transport, however it was determined that the two 
subjects would best be handled by separate documents. The TLS part is 
completed, so we return to the SSH key transfer part.

This note is intended to set the scope of the document. Based upon the feedback 
of the scope, we will follow up with the first revision for the document itself.

1 Purpose:

(TLS) TACACS+ protocol extensions for transfer of public SSH Keys from the AAA 
server to the AAA client

2 What will be specified:

  *   How the fields in the Authorization packets are used:

     *   by the TACACS+ AAA Client to request, the Keys,

     *   by the TACACS+ AAA Server to encode the Keys,

     *   how the flow will be coordinated and completed.

  *   Description of TACACS+ Role in the complete AAA SSH session flow 
(Authentication/Authorization/Accounting), and which phases are optional
3 Clarifications/Limitations

  *   There is no intent to extend the actual SSH authentication out of the 
device over TACACS+ to the AAA server. The authentication flow is purely for 
the retrieval of the Keys. Consequently, other than abstaining from sharing the 
publicly available materials, the authorization phase is the only step where 
the TACACS+ Server may actually enact Policy Decision in the overall flow (as 
now).

  *   There has been a previous call to including the distribution of other 
material (Certs for HTTPS authentication), this option has been dropped after 
further discussion.


____________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.



This message and its attachments may contain confidential or privileged 
information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete 
this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.

Thank you.

_______________________________________________
OPSAWG mailing list -- opsawg@ietf.org
To unsubscribe send an email to opsawg-le...@ietf.org