Configuring secure shell settings

You can use Centrify group policies to manage several aspects of secure shell (ssh) authentication and operation. The Centrify group policies for secure shell are located in the SSH Settings folder after you add the centrify_unix_settings.xml administrative template to a Group Policy Object. When you enable and configure secure shell group policies, the changes are recorded in the secure shell configuration file, /etc/centrifydc/ssh/sshd_config, at the next group policy update interval. To have your changes take effect immediately, run the adgpupdate command.

Centrify puts all of the configuration files for secure shell operations in the /etc/centrifydc/ssh directory. Depending on your operating system, you might also have other ssh configuration files stored in the other locations. When users start a secure shell session and use their secure shell rights, the Centrify agent first checks the /etc/centrifydc/ssh directory for configuration files, then looks for configuration file in the /usr/local/etc directory on AIX computers, and in /etc/ssh directory on most other Linux and UNIX computers.

At a minimum, you should enable the Enable application rights group policy in a Group Policy Object that applies to the site, domain, or organizational unit that contains Centrify-managed Linux and UNIX computers.

To configure the secure shell group policy for application rights

  1. On a Windows computer, open the Group Policy Management console.
  2. Select an appropriate Group Policy Object, right-click, then select Edit.

    You can select any Group Policy Object that applies to the site, domain, or organizational unit that contains Centrify-managed Linux and UNIX computers.

  3. Expand Computer Configuration > Policies > Centrify Settings > SSH Settings and double-click Enable application rights.
  4. Click Enable, then click OK.

    This setting adds the following parameter to the /etc/centrifydc/ssh/sshd_config file:

    ServiceAuthLocation /usr/share/centrifydc/libexec/dzsshchk

    This parameter sets the path to the dzsshchk command. The dzsshchk command verifies the access rights for users when they log in with SSH for all computers to which the group policy object applies.

You can also use secure shell group policies to control other configuration settings, such as the allowed and denied groups and users and authentication processing. For example, you can use the following group policies to configure operations for Centrify OpenSSH connections:

  • Add sshd_config properties enables you configure secure shell properties defined in the sshd_config file by group policy. If you enable this group policy, you can add and edit properties as name-value pairs.
  • Allow challenge-response authentication enables you use multi-factor authentication if you are using the secure shell package installed with the operating system. This group policy is not required if you are using the Centrify OpenSSH package for the agent.
  • Allow groups specifies the list of groups whose members are allowed to log on through sshd.
  • Allow GSSAPI authentication enables authentication either as the result of a successful key exchange, or through GSSAPI user authentication.
  • Allow GSSAPI key exchange enables authentication using a key exchange based on GSSAPI.
  • Allow users specifies the list of users who are allowed to log on through sshd.
  • Deny groups specifies the list of groups whose members are not allowed to log on through sshd.
  • Deny users specifies the list of users who are not allowed to log on through sshd.
  • Enable application rights allows secure shell applications to grant secure shell rights.
  • Enable PAM authentication to use PAM account and session handling.
  • Permit root login specifies whether the root account can be used to log in using ssh.
  • Set banner path specifies the path to a local file that is sent to a remote user requesting authentication.
  • Specify authorized keyfile specifies the file that contains the public keys that can be used for user authentication.
  • Specify ciphers allowed for protocol version 2 enables you to add or delete ciphers allowed for single sign-on connections.
  • Specify client alive interval specifies a timeout interval, in seconds, for requesting a response to client alive messages.
  • Specify log level specifies the level of detail to record in the log file for messages from sshd.
  • Specify login grace period specifies the time, in seconds, after which the server disconnects if a user has failed to log in.
  • Specify maximum client alive count specifies the maximum number of client alive messages that may be sent by the secure shell daemon (sshd) without receiving a response from the client.

For more information about adding administrative templates for group policies to a Group Policy Object and how to configure and apply the group policies for secure shell, see theGroup Policy Guide.