Configuring the Centrify PuTTY client

The Centrify-enabled version of the open-source PuTTY client adds Kerberos authentication for accessing remote computers using secure shell (ssh) network connections. To enable you to configure Kerberos authentication for secure shell sessions, the Centrify PuTTY client adds its own SSH Kerberos configuration page to the standard Windows PuTTY client. All other functionality in the Centrify PuTTY client is the same as in the official PuTTY client, version 0.64.

Starting the Centrify PuTTY client

After installation, you can start the Centrify PuTTY client from the Start menu or by opening the putty.exe executable in the file location you specified during installation. By default, the Basic options for your PuTTY session are displayed. These options are the same in the Centrify PuTTY client as they are in the open-source PuTTY client. For example:

Configuring Kerberos authentication for secure shell connections

The Kerberos configuration options that have been added to the Centrify version of the PuTTY client are available under the Connection and SSH configuration settings.

To configure Kerberos settings:

  1. Expand SSH under the Connection configuration settings. For example:

  2. Select Kerberos to display the Options for controlling Kerberos connections. For example:

  3. Set the appropriate options to configure Kerberos authentication for secure shell remote connections.
    • Select Attempt Kerberos Auth (SSH-2) if you want the Centrify PuTTY client to attempt to use Kerberos authentication before any other authentication method when opening a new secure shell session.

      If you do not select this option or select this option and Kerberos authentication fails, the authentication options you have defined in Connection > SSH > Auth are used. The number of times you can type the wrong password before Kerberos authentication fails and other authentication options are used can be configured by group policy settings. For more information about the group policies for configuring Centrify PuTTY, see Configuring group policies for Centrify PuTTY.

    • Select Create forwardable tickets if you want to allow the same Kerberos credentials used for authentication when connecting to other Kerberos-authenticated services.

      The option is selected by default to enable single sign-on, allowing you to be authenticated silently on other servers without providing a password. If you deselect this option, you are prompted to provide a password any time you connect to another Kerberos-authenticated service.

    • Select Find machine from trusted domains if you want the Centrify PuTTY client to look for computers in external trusted domains if it cannot locate a target computer in the local Active Directory forest or a trusted forest.

      If you select this option and the Centrify PuTTY client cannot locate a target computer, the program will attempt an LDAP connection to the domain controller in the trusted domains using your login credentials. The LDAP connection can only succeed if the domain controller is accessible and you have Read access in Active Directory. You can control the LDAP connection setting by using Centrify PuTTY group policies. For more information about the group policies for configuring Centrify PuTTY, see Configuring group policies for Centrify PuTTY.

      • Type a specific Service principal name if a target computer is in a different forest or if the Centrify PuTTY client cannot access the Kerberos Distribution Center (KDC) for the computer.
      • You might have to specify the service principal name if a computer is located in an external trusted domain that is not accessible. For example, if firewall settings prevent the Centrify PuTTY client from making an LDAP connection to the domain controller in the trusted domains, you can explicitly identify the computer by its service principal name.
  4. Select an Auto-login username option to specify how the Centrify PuTTY client determines the UNIX user account name to use for authentication when opening a secure shell connection.
    • Select None if you want to be prompted to specify the user name for Kerberos authentication or if you want to set a default auto-login user name as a Connection > Data configuration option.

      If you select this option, the Centrify PuTTY client does not automatically generate the UNIX user account name.

    • Select User principal name (requires DirectControl) if you want the Centrify PuTTY client to use your user principal name (UPN) as the UNIX account name.

      This option requires the Centrify agent to be installed. With this option, the agent automatically maps the UPN in the Kerberos ticket to the UNIX profile for the Active Directory user name presented in the ticket.

    • Select User name portion of user principal name if you want the Centrify PuTTY client to use the user name portion of the UPN as the UNIX user name.

      If you select this option and the UPN is jdoe@xyz.com, the Centrify PuTTY client would use jdoe as the UNIX user name for authentication.

    • Select SAM account name if you want the Centrify PuTTY client to look up the sAMAccountName attribute in Active Directory and use it as the UNIX user name.

      If you select this option, the Centrify PuTTY client will initiate an LDAP connection to the currently logged-in domain controller. If the connection or lookup request fails, the Centrify PuTTY client will prompt you to enter the UNIX user name.

  5. Type a Domain and Username if you do not want to use the Kerberos credentials for the account you used to log on to the Windows computer where you are running the Centrify PuTTY client.

    By default, your current Kerberos credentials for your Windows account are used for authentication on the remote computer. If you want to use a different user name and password, specify the domain and user name for the alternate Kerberos credentials you want to use. When the Centrify PuTTY client opens the secure shell session on the remote computer, it will prompt you to provide the password for your alternate credentials.

    The ability to use alternate Kerberos credentials can be configured by group policy settings. For more information about the group policies for configuring Centrify PuTTY, see Configuring group policies for Centrify PuTTY.