Configuring single sign-on for SSH and Screen Sharing

On OS X 10.10 and later, you can change configuration settings to allow single sign-on for SSH and Screen Sharing using Kerberos. Kerberos authorization for SSH and Screen Sharing allows you to establish an SSH or Screen Sharing connection to configured target machines joined to the same domain within the same single sign-on (SSO) session. In addition to authorizing SSH or Screen Sharing for the currently logged in user, you can authorize SSH or Screen Sharing for a different smart card user (for example, an admin user) by obtaining that user’s Kerberos credentials.

To configure SSH SSO

Note:   Smart card authentication for SSH sessions across different forests or domains is not supported.

  1. Verify that all client and target machines are joined to the same AD domain.

    See Joining an Active Directory domain for more information.

  2. Enable GSSAPIAuthentication and GSSAPIDelegateCredentials in the /etc/ssh/ssh_config (/etc/ssh_config on OS X 10.10) file on both the client and target machine.

    GSSAPIAuthentication        yes
    
    
    
    GSSAPIDelegateCredentials   yes
    
    
    
    
  3. Enable GSSAPIAuthentication and GSSAPIKeyExchange in the /etc/ssh/sshd_config (/etc/sshd_config on OS X 10.10) file on both the client and target machine.

    GSSAPIAuthentication   yes
    
    GSSAPIKeyExchange      yes
    
    

    Note:   As of macOS 10.12, Apple's built-in ssh server no longer supports as the target machine. You can still use SSH SSO to login to other server machines, such as Linux/UNIX machines.

  4. Enable adclient.krb5.autoedit on the target machine.

    The easiest way to do this is enabling the DirectControl Settings > Kerberos Settings > Manage Kerberos configuration group policy.

  5. Restart Centrify Management Services on the target machine.

    $ sudo /usr/local/share/centrifydc/bin/centrifydc restart

    The logged in user can now open SSH connections to the target machine using a FQDN.

    $ ssh hostname.domainname

To configure Screen Sharing SSO

Note:   Single sign-on for Screen Sharing requires Mac OS X 10.11 or higher.

  1. Verify that both the client and target machines are updated to at least Centrify Management Services 5.3.1.
    $ adinfo -v
    
    
    
    adinfo (CentrifyDC 5.3.1-xxx)
    
    
    
    

    If an update is necessary, refer to Upgrading the Centrify DirectControl Agent for Mac for instructions and best practices.

  2. Open System Preferences > Sharing, then select Screen Sharing and specify which users can initiate Screen Sharing sessions in the Allow access for: list.

    Note:   Only Screen Sharing supports SSO, as Remote Management can not allow access for network users.

    The logged in user can now open Screen Sharing connections to the target machine using a FQDN.

    $ open vnc://hostname.domainname

To obtain Kerberos credentials for a smart card user for SSH or Screen Sharing SSO

  1. Complete all of the steps in Configuring single sign-on for SSH and Screen Sharing and Configuring single sign-on for SSH and Screen Sharing.
  2. Insert the user’s smart card into the reader.
  3. Obtain Kerberos credentials from the smart card currently in the reader and use those credentials to authorize SSH.

    For multi-user PIV cards or multi-user smart cards:

    $ /usr/local/bin/sctool -a unixName

    For all other smart cards:

    $ /usr/local/bin/sctool -k userPrincipalName

    Refer to Understanding sctool for more information about the sctool -a and -k options.

    After unlocking the smart card, you can now open SSH or Screen Sharing connections to the target machine using the obtained Kerberos credentials.