10

I can set a router to authenticate via a ssh public-key with:

ip ssh pubkey-chain
 username admin
  key-string
   <ssh-pub-key>
  exit
 exit

Is it possible to do something similar with Cisco ACS, to enable a public key to be trusted for ssh across a whole set of devices that are already configured for TACACS+?

glallen
  • 362
  • 4
  • 14
  • does that answer your question? – Craig Constantine Jun 13 '14 at 17:03
  • 1
    well, it was a 'looks like' not 'absolutely' does not, (ie lack of positive evidence of this function, vs positive evidence of the lack of function) so I figured I'd leave the question open a couple of days with your bounty to see if any more details came out. – glallen Jun 13 '14 at 17:22
  • I don't use tacacs and don't have any version of ACS running, so I cannot say with 100% confidence. The "looks like" is based on researching features of the various versions of ACS, and the lack of documented support in any other tacacs server. – Ricky Jun 17 '14 at 15:40
  • @RickyBeam I've got a copy of ACS running - but, like you said, I couldn't find anything either - so your answer is correct. – glallen Jun 18 '14 at 17:38

1 Answers1

9

It looks like, "No". There's nothing specific in TACACS+ to transport a certificate exchange, however an ASCII data payload could suffice. (the RFC is a decade old) The real question is if ACS has any method to handle it? And that also appears to be "no". The only mention I can find to PKI or certificate based authentication is for EAP-TLS, which is not what you want.

Update

I found a single reference in IOS-XR documents:

Note The preferred method of authentication would be as stated in the SSH RFC. The RSA based authentication support is only for local authentication, and not for TACACS/RADIUS servers.

Ricky
  • 32,147
  • 2
  • 43
  • 85
  • That's a shame. You can manage a whole network infrastructure with user/pass, but one would think there would be a PKI structure to do the same. I found http://freeradius.1045715.n5.nabble.com/Is-Centralized-SSH-Public-Key-Authentication-Possible-td2779208.html which seems to say the same: centralized ssh key auth is just not possible (with RADIUS either). This project openssh-lpk seems related, but it looks like its for centralized ssh to hosts, not devices such as routers/switches. – glallen Jun 13 '14 at 12:14
  • There's one official answer from the mothership. – Ricky Jun 19 '14 at 06:37