Creating a role definition for secure shell rights

You can add SSH rights to any role definition as long as the role does not accept local users. Although SSH rights require the PAM ssh right, the role definition to which you add SSH rights does not require the PAM access right. As long as a user is assigned to a role that includes the PAM ssh right, you can add SSH rights to any other role definition to make the rights effective.

In addition to adding the rights to a role definition, you must set the ServiceAuthLocation parameter in the sshd_config configuration file to check for secure shell rights when users log on using a secure shell. In most cases, you should use the Enable application rights group policy to set this parameter for all Centrify-managed Linux and UNIX computers. This group policy sets the path to the dzsshchk command which verifies the specific applications rights for users when they log on.

Alternatively, you can manually set this parameter on an individual computer by editing the configuration file to include the following:

ServiceAuthLocation /usr/share/centrifydc/libexec/dzsshchk