Enforcing multi-factor authentication for single sign-on login access

If you use the Centrify OpenSSH package, you can require multi-factor authentication for secure shell connections even for single sign-on access to remote computers. In this scenario, users must respond to the authentication challenges to open the secure shell connection then be silently authenticated to additional services and computers. Note that this scenario is only supported if you are using the Centrify version of the OpenSSH package and not supported for native secure shell packages. To enable multi-factor authentication for single sign-on using secure shell sessions, you must enable and apply the Enable SSO MFA group policy. You can find this group policy in the Group Policy Management Editor under Computer Configuration > Policies > Centrify Settings > SSH Settings. For more information about adding, enabling, and applying Centrify group policies and the other group policies you can use for secure shell sessions, see the Group Policy Guide.

If you are not enabling and applying group policies for Centrify-managed computers, you can manually enforce multi-factor authentication for single sign-on by setting the secure shell configuration parameter SSOMFA to yes in the /etc/centrifydc/sshd/sshd_config file.

If you enable the group policy or set the parameter and auditing is set to required, users who access a Centrify-managed computer using ssh or PuTTY are prompted to respond to the multi-factor authentication challenges before starting the shell session. Securing the shell session with multi-factor authentication prevents unauthorized users from using the secure shell session to connect to remote services and computers.