[j-nsp] Forced password resets?

Julien Goodwin jgoodwin at studio442.com.au
Thu Apr 19 06:56:41 EDT 2018



On 19/04/18 19:14, Saku Ytti wrote:
> Anyone up for some IETF fun? I think this PW problem can be mostly
> solved by an standard API. I imagine that you have some credentials
> wallet which supports the API, browser which supports the API and HTTP
> server which supports the API. You have some way to locally lock down
> and open the wallet, which is out-of-scope for the standard.
> Now when you register to new site, your browser asks site about
> authentication policy (what information is needed, what that
> information can look like) it then asks wallet to provide such
> information for set of hosts or URLs, and then browser offers this
> information to the server.

There's various proposals for that in web-land, some of which are
sane-ish (the exact rant is off-topic enough I'll skip it), some of them
also practical for non-interactive and non-web uses.

What is on-topic is there are some folk looking at standardising TACACS
as it's actually implemented, and then potentially an enhancement. I'd
*REALLY* love if client key negotiation of some form was in the
standard, so I could simply ssh to any router with key auth without
needing to statically configure keys on each router.

Draft:
https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-10


More information about the juniper-nsp mailing list