On OS X 10.10 and later, you can change configuration settings to allow single sign-on for SSH and Screen Sharing using Kerberos. Kerberos authorization for SSH and Screen Sharing allows you to establish an SSH or Screen Sharing connection to configured target machines joined to the same domain within the same single sign-on (SSO) session. In addition to authorizing SSH or Screen Sharing for the currently logged in user, you can authorize SSH or Screen Sharing for a different smart card user (for example, an admin user) by obtaining that user’s Kerberos credentials.
- To configure SSH SSO
- To configure Screen Sharing SSO
- Migrating a user from Apple’s Active Directory plugin to Centrify Active Directory
Note: Smart card authentication for SSH sessions across different forests or domains is not supported.
- Verify that all client and target machines are joined to the same AD domain.
See Joining an Active Directory domain for more information.
/etc/ssh_configon OS X 10.10) file on both the client and target machine.
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
/etc/sshd_configon OS X 10.10) file on both the client and target machine.
GSSAPIAuthentication yes GSSAPIKeyExchange yes
Note: As of macOS 10.12, Apple's built-in ssh server no longer supports as the target machine. You can still use SSH SSO to login to other server machines, such as Linux/UNIX machines.
adclient.krb5.autoediton the target machine.
The easiest way to do this is enabling the DirectControl Settings > Kerberos Settings > Manage Kerberos configuration group policy.
Restart Centrify Management Services on the target machine.
$ sudo /usr/local/share/centrifydc/bin/centrifydc restart
The logged in user can now open SSH connections to the target machine using a FQDN.
$ ssh hostname.domainname
Note: Single sign-on for Screen Sharing requires Mac OS X 10.11 or higher.
- Verify that both the client and target machines are updated to at least Centrify Management Services 5.3.1.
$ adinfo -v adinfo (CentrifyDC 5.3.1-xxx)
If an update is necessary, refer to Upgrading the Centrify DirectControl Agent for Mac for instructions and best practices.
Open System Preferences > Sharing, then select Screen Sharing and specify which users can initiate Screen Sharing sessions in the Allow access for: list.
Note: Only Screen Sharing supports SSO, as Remote Management can not allow access for network users.
The logged in user can now open Screen Sharing connections to the target machine using a FQDN.
$ open vnc://hostname.domainname
To obtain Kerberos credentials for a smart card user for SSH or Screen Sharing SSO
- Complete all of the steps in Configuring single sign-on for SSH and Screen Sharing and Configuring single sign-on for SSH and Screen Sharing.
- Insert the user’s smart card into the reader.
- Obtain Kerberos credentials from the smart card currently in the reader and use those credentials to authorize SSH.
For multi-user PIV cards or multi-user smart cards:
$ /usr/local/bin/sctool -a unixName
For all other smart cards:
$ /usr/local/bin/sctool -k userPrincipalName
Refer to Understanding sctool for more information about the sctool
After unlocking the smart card, you can now open SSH or Screen Sharing connections to the target machine using the obtained Kerberos credentials.