Secure shell rights require Centrify OpenSSH

SSH has become the defacto standard for administrators and users to securely access remote UNIX systems. The combination of the latest versions of OpenSSH supporting Kerberized connections, along with the DirectControl Agent directly integrating the UNIX computer with Active Directory's Kerberos infrastructure, provides the administrator with the ideal environment for secured single sign-on. Users logging in from Windows computers can securely access remote UNIX computers using their Active Directory credentials to automatically log in to the UNIX computer.

While many UNIX systems might have an sshd server installed, most are older implementations of the sshd server that do not support Kerberos and newer versions might not have been compiled with support for Kerberos. The Centrify package contains OpenSSH compiled with support for Kerberos by dynamically linking to the Centrify Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment.

This provides several advantages, including:

  • The OpenSSH client and server are preconfigured to automatically support PAM and Kerberos.
  • There is no need for DNS-to-realm mapping because DirectControl knows the relationship between hosts and their SPNs.
  • There is no need for a .k5login file in the user's home directory since DirectControl can automatically map the UPN (User Principal Name) in the Kerberos ticket to the UNIX profile for the Active Directory username presented in the ticket.
  • OpenSSH in combination with DirectControl accepts connections to any of the computer's valid hostnames, either fully qualified or not, because all combinations are registered with Active Directory. This further reduces the dependency on accurate DNS entries to enable Kerberos to operate properly.
  • The installation process automatically updates the $PATH.

The Centrify version of OpenSSH is a separate package that can be installed with the Centrify Agent. Before you configure any specific secure shell rights to include in roles, verify that you have the Centrify OpenSSH package installed on your managed computers. The default secure shell rights are only applicable for the Centrify-compiled version of OpenSSH. If you did not select the OpenSSH package as part of a custom installation when you installed the agent, re-run the installation script to install the package before attempting to use secure shell rights.