TOM KEMP'S CENTRIFY BLOG

PuTTYing Around

Monday, August 20, 2007

Today Centrify released version 3.0.7 of DirectControl. New features include:

Support for 20+ additional platforms, including Ubuntu, Fedora 5 -7, Oracle Enterprise Linux, CentOS, Scientific Linux, Debian 4, OpenSUSE 10.1 and 10.2, VMware ESX 2.5.4, SGI IRIX 6.5.29 and Mac OS X 10.4 Server (PPC and Intel) — see our Centrify Supported Platforms page for the full list of supported platforms.
Additional Mac capabilities, including approximately 20 new Mac Group Policies, as well as a new Administrator's Guide for Mac OS X (replacing the previous Mac Group Policy application note), and enhanced integration with Apple Remote Desktop Administrator as well as Workgroup Manager.
New Group Policies to control our Centrify'd version of OpenSSH.
Additional platform support for our console and tools including new a native 64-bit DirectControl management console, sudo packages for AIX 4.3.3 and 5.x and IRIX 6.5.x; and support for Solaris 10 x86 for our NIS Server.

At the same time we are releasing DirectControl version 3.0.7, we are also releasing new versions of our PuTTY and OpenSSH support, and wanted to take the rest of this blog entry to provide a bit of details on each.

PuTTY

First, let's talk PuTTY. PuTTY is a popular open-source client on Windows and UNIX-based systems that provides access to remote machines using well known network protocols such as Telnet, SSH, rlogin and raw TCP. However, it does not support Kerberos authentication.

Centrify has enhanced the PuTTY tool so that user authentication can be accomplished using Kerberos before establishing a remote connection. Since the Centrify DirectControl Agent sets up a Kerberos environment on managed UNIX and Linux computers, this allows a seamless integration into DirectControl-managed systems. Thus, you gain the benefits of centralized authentication and password policy enforcement using a secure and well-established authentication infrastructure.

The Centrify's enhanced version that we are releasing today is based on PuTTY version 0.60, released in April 2007. The Centrify DirectControl-enhanced version of PuTTY runs on Windows 2000, Windows 2003, Windows XP and Windows Vista. Besides enhancing PuTTY, Centrify has also enhanced PuTTY-related utilities such as pscp.exe, psftp.exe and plink.exe to support Kerberos authentication. All of this capability and more is described in a brand new 17 page application note called "Centrify DirectControl-Enhanced PuTTY."

Centrify PuTTY also interoperates with the Centrify OpenSSH utility. The Centrify OpenSSH configuration (sshd_config) uses Kerberos authentication by default. It also handles different forms of user name for UNIX login. More about OpenSSH later.

Here's how it works: you can use Centrify PuTTY to remotely access any UNIX and Linux machines. However, if the Centrify DirectControl Agent has been installed on the UNIX/Linux machine, users can securely access remote computers via the SSH protocol using Active Directory credentials. DirectControl can also deduce the UNIX login name from the User Principal Name (UPN) in Active Directory, thus making it possible for a user to do secure Single Sign-on to all machines with a single Active Directory identity. Administrators have the added benefits of accelerated deployment since DirectControl already sets up a Kerberos environment on the target machines. As an example, there is no need for DNS-to-realm mapping because DirectControl already knows the relationship between the hosts and their Service Principal Names (SPNs).

As an added benefit, with this new release of our enhanced PuTTY Centrify now provides a Group Policy Object administrative template that allows centralized control of the configurable PuTTY settings including the Kerberos options for SSH connections. I was told we make over 300 configuration parameters for PuTTY now settable via Group Policy, which is quite nice in case you plan to deploy PuTTY on a wide scale within your enterprise.

Finally, we also provide tech support for PuTTY, in case you want it. See Centrify Support for Open Source Software for details. And of course go to the support download site to download the new PuTTY and the application note.

OpenSSH

SSH has become the de facto standard for administrators and users to securely access remote UNIX systems. OpenSSH is a popular open source technology that uses the SSH protocol. While many UNIX systems may have OpenSSH installed on them (i.e., an sshd server installed), most will be older implementations of the sshd server that do not support Kerberos and newer versions may have not been compiled with support for Kerberos.

What Centrify offers is a version of OpenSSH that is compiled with support for Kerberos by statically linking to the Centrify Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment. The Centrify version of OpenSSH that we released today supports version 4.6p1 of OpenSSH. See our list of Open Source supported platforms for the wide range of platforms we deliver OpenSSH on.

The Centrify version of OpenSSH has several advantages that are documented at the bottom of this page, but, as mentioned above, a new additional capability we have just added is support for Group Policy configuration of OpenSSH deployments. Examples of new OpenSSH Group Policies include: controlling who is allowed to SSH to a set of computers; controlling the time allowed for a successful login; displaying a security notice at login; and preventing root user login via SSH. Centrify is in fact the only vendor to offer Group Policy management of both the client (PuTTY) and server (sshd) component of SSH.

Finally, just like for PuTTY, we also provide tech support for OpenSSH, in case you want it. See Centrify Support for Open Source Software for details. And of course go to the support download site to download this new version of OpenSSH.

Categories: DirectControl for Systems, Group Policy, Mac OS X, Open Source Tools, Customers and Press, All

Bookmarks: