| Internet-Draft | TACACS+ Security | June 2022 |
| Dahm, et al. | Expires 4 December 2022 | [Page] |
The TACACS+ Protocol [RFC8907] provides device administration for routers, network access servers and other networked computing devices via one or more centralized servers. This document, a companion to the TACACS+ protocol [RFC8907], adds new packet formats to improve security and function and support for SSH [RFC4716] public keys.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP14] when, and only when, they appear in all capitals, as shown here.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 December 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The TACACS+ Protocol [RFC8907] provides device administration for routers, network access servers and other networked computing devices via one or more centralized servers. The protocol provides authentication, authorization and accounting services for TACACS+ clients.¶
Authors of [RFC8907] and network operators have expressed interest in deprecating a few antiquated protocol features, addressing a limitation of authentication policy, and adding support for SSH public keys. These are addressed herein.¶
To improve security and functionality of applying policy to the authentication process in a TACACS+ Session, new authentication packet formats are introduced that are uniform to authorization and accounting. For SSH authentication using public keys, highly desired by the operator community, this document introduces a method to support sending public keys to a TACACS+ client, allowing centralized management.¶
The Technical Definitions section of the TACACS+ Protocol [RFC8907] is fully applicable here and will not be repeated, though may be augmented. The following terms are also used in this document.¶
An Attribute-Value Pair or AVP is another name a TACACS+ argument as defined in [RFC8907] Sections 6.1 and 8.¶
An empty or zero-length value of an AVP as defined in [RFC8907] Sections 8.1.¶
This refers to a TACACS+ Server or Client.¶
A TLS Connection is a TCP/IP connection with TLS authentication and encryption used by TACACS+ for transport, similar to a Connection as defined in TACACS+ Protocol [RFC8907].¶
Versions 1 and 2 of the TACACS+ Protocol, as defined in [RFC8907], specify the TACACS+ Authentication Packets for START, REPLY and CONTINUE which support the credential validation use case but does not accommodate any further argumentation which may be used to give context to the request.¶
One use-case where this shortcoming inhibits correct operation is for the TACACS+ proxy. Because the originating client is not encoded in the regular Authentication START Packet, TACACS+ Servers generally attempt to determine the client from the TCP connection. This is effective only for the first step: proxied TACACS+ servers can no longer securely enforce policy based upon the end client IP-Address.¶
Further, advanced use cases (such as SSH key distribution) would otherwise rely on embedding structured information into the single data fields, obfuscating the content of the protocol.¶
To support these use cases, and allow clients to add environment information to the request, the Extended Authentication Packets brings the Authentication phase of the protocol inline with the Authorization and Accounting Phase by incorporating extensible argument s.¶
The server should expect Extended Authentication Packet Bodies if the minor version in the Packet Header is: 0x2¶
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 +----------------+----------------+----------------+----------------+ | action | priv_lvl | authen_type | authen_service | +----------------+----------------+----------------+----------------+ | user_len | port_len | rem_addr_len | data_len | +----------------+----------------+----------------+----------------+ | arg_cnt | +----------------+----------------+----------------+----------------+ | arg_1_len | +----------------+----------------+----------------+----------------+ | ... | +----------------+----------------+----------------+----------------+ | arg_N_len | +----------------+----------------+----------------+----------------+ | user ... +----------------+----------------+----------------+----------------+ | port ... +----------------+----------------+----------------+----------------+ | rem_addr ... +----------------+----------------+----------------+----------------+ | data... +----------------+----------------+----------------+----------------+ | arg_1 ... +----------------+----------------+----------------+----------------+ | arg_2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg_N ... +----------------+----------------+----------------+----------------+
The action, priv_level, authen_type, authen_service, user_len, port_len, rem_addr_len, data_len, user, port, rem_addr and data fields are used exactly as defined in the Authentication START Packet Body in [RFC8907].¶
The following fields contain the arguments that may be used to extend the authentication process. These are common to the Extended Authentication START, Extended Authentication REPLY, and Extended Authentication CONTINUE packet bodies; these fields represent the sole update from the previous START, REPLY and CONTINUE packet bodies.¶
The new fields are as follows:¶
arg_cnt¶
This represents the number of arguments in the packet.¶
arg_1_len ... arg_N_len, arg_1 ... arg_N¶
Each argument is encoded in the packet as a single arg field (arg_1 ... arg_N) with a corresponding length field that indicates the length of each argument in bytes.¶
The arguments are argument-value pairs. The argument and the value are in a single string and are separated by either a "=" (0X3D) or a "*" (0X2A). The equals sign indicates a mandatory argument. The asterisk indicates an optional one. For the rules regarding optional and mandatory arguments, refer to [RFC8907]¶
Multiple arguments with the same name are permitted within a packet, a common example is cmd-arg. The handling of repeated arguments is specific to the semantics of the argument and so are documented with that argument. Order is significant when processing arguments.¶
The addition of arguments to the authentication packets is intended to permit the flexibility for the TACACS+ authentication phase that has been available previously for authorization and accounting. These fields are intended to be used as needed in deployment, they are used in this document in the enhancements for SSH (Section 4):¶
origin_client¶
Contains the IP-Address of the originating TACACS+ client. This is text encoded in line with the rest of the TACACS+ protocol, and may be IPv4 or IPv6. This argument is optional and can be included in all TACACS+ protocol START packets, Authentication, Authorization, and Accounting. IPv4 addresses are specified as quad-octet numeric values separated by dots ('.'). IPv6 address text representation is defined in [RFC5952].¶
The TACACS+ server sends only one type of extended authentication packet to the client.¶
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 +----------------+----------------+----------------+----------------+ | status | flags | server_msg_len | +----------------+----------------+----------------+----------------+ | data_len | +----------------+----------------+----------------+----------------+ | arg_cnt | +----------------+----------------+----------------+----------------+ | arg_1_len | +----------------+----------------+----------------+----------------+ | ... | +----------------+----------------+----------------+----------------+ | arg_N_len | +----------------+----------------+----------------+----------------+ | data ... +----------------+----------------+----------------+----------------+ | server_msg ... +----------------+----------------+----------------+----------------+ | arg_1 ... +----------------+----------------+----------------+----------------+ | arg_2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg_N ... +----------------+----------------+----------------+----------------+
The status, flags, server_msg_len, data_len, server_msg, and data fields are used exactly as defined in the Authentication REPLY Packet Body in [RFC8907]].¶
The new arg_cnt, arg_1 ... arg_N, and arg_1_len .... arg_N_len fields are used as defined in The Extended Authentication START Packet Body (Section 3.1).¶
This packet is sent from the client to the server following the receipt of an Extended REPLY packet.¶
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 +----------------+----------------+----------------+----------------+ | status | user_msg len | +----------------+----------------+----------------+----------------+ | data_len | +----------------+----------------+----------------+----------------+ | arg_cnt | +----------------+----------------+----------------+----------------+ | arg_1_len | +----------------+----------------+----------------+----------------+ | ... | +----------------+----------------+----------------+----------------+ | arg_N_len | +----------------+----------------+----------------+----------------+ | user_msg ... +----------------+----------------+----------------+----------------+ | data ... +----------------+----------------+----------------+----------------+ | arg_1 ... +----------------+----------------+----------------+----------------+ | arg_2 ... +----------------+----------------+----------------+----------------+ | ... +----------------+----------------+----------------+----------------+ | arg_N ... +----------------+----------------+----------------+----------------+
The user_msg len, data_len, user_msg, and data fields are used exactly as defined in the Authentication REPLY Packet Body in [RFC8907]. However, the status field replaces the flags field and has the following enumeration:¶
TAC_PLUS_AUTHEN_CONTINUE_STATUS_NONE or TAC_PLUS_AUTHEN_CONTINUE_STATUS_ABORT MUST be used when the Extended Authentication Packets are used for the continuation of authentication flows documented in [RFC8907].¶
The client may prematurely terminate a session by setting the TAC_PLUS_AUTHEN_CONTINUE_STATUS_ABORT or TAC_PLUS_AUTHEN_CONTINUE_STATUS_ERROR status in the CONTINUE message. The remainder are detailed in SSH (Section 4).¶
The new arg_cnt, arg_1 ... arg_N, and arg_1_len .... arg_N_len fields are used as defined in The Extended Authentication START Packet Body (Section 3.1).¶
Most network equipment now support SSH [RFC4251] for Command Line Interface (CLI) and NETCONF [RFC6242]. Operators SHOULD use SSH public keys for authentication. Some devices support public keys in native configuration, but there is desire to centrally manage keys and SSH subsystem authorization.¶
The following new enumerated TACACS+ protocol values and well-known AVPs are needed to support SSH in the subsequent sections. These new values augment those in [RFC8907] Sections 5.1 - 5.3, 6.1, and 8.2 as follows:¶
To support central management of SSH public keys via TACACS+, the Authentication sequence of [RFC8907] Section 5.4 is extended using Extended Authentication Packet (Section 3) sequences to deliver SSH public keys to devices for local verification.¶
Besides new header values and flags and AVPs for Extended Authentication Packets, the SSH public key authentication process differs from other TACACS+ authentication types in that there may be more Authentication Reply and Authentication Continue Packets pairs than previously.¶
The process follows:¶
To support central management of SSH and SSH subsystem authorization and accounting via TACACS+, this document adds a new authen_method to RFC8907 Section 6.1 Authorization REQUEST [RFC8907] and a well-known AVP to Section 8.2 Authorization Arguments [RFC8907].¶
The new authen_method TAC_PLUS_AUTHEN_METH_SSHPUBKEY indicates that the user was authenticated with a SSH public key.¶
The well-known ssh_subsystem AVP defines the SSH subsystem for which the authorization is requested and MUST be present any time the authorization is for a SSH connection.¶
The set of permissible values for this AVP are the SSH Subsystem Names defined in the IANA SSH Connection Protocol Subsystem Names Registry [SSHSUBSYS], which are case-sensitive as specified and otherwise constrained by [RFC4250] Section 4.6.1. The client MAY send an Empty Value for the subsystem name to indicate no subsystem, also known as a shell or CLI. The server MUST NOT reply with status TAC_PLUS_AUTHOR_STATUS_ERROR if it receives a subsystem name whose syntax is valid but whose value is not recognized. Subsystems might need additional data for authorization or accounting that will be particular to that subsystem and are therefore out of scope for this document.¶
These new authen_methods and AVPs apply equally to accounting.¶
This section deprecates features from the TACACS+ Protocol.¶
MS-CHAPv1: has been replaced by MS-CHAPv2 in most deployments, the intent of this deprecation is to complete the transition. MD4 is still required to support MS-CHAPv2 so cannot be deprecated at this point It should be noted that the use of MD4 is purely to allow compatible MS-CHAPv2 operation and not for security; the TLS transport is intended to provide that function.¶
TAC_PLUS_AUTHEN_SENDAUTH: the sendauth mechanism can not be supported, as it permits the leak of sensitive information.¶
A Client MUST NOT cache SSH public keys received from a Server for future SSH client authentication. Doing so would deny the Server the opportunity to deny authentication for other reasons than key validity or to revoke a key. The Server has no method to revoke a key, except by not offering the key in future authentication sessions.¶
The author(s) would like to thank Russ Housley, Steven M. Bellovin, Stephen Farrell, Alan DeKok, Warren Kumari, and Tom Petch for their support, insightful review, and/or comments. [RFC5425] was also used as a basis for the approach to TLS.¶