Application Note

Secure, Active Directory-Based Single Sign-On with AbsoluteTelnet/SSH and Centrify

Try DirectControl for Yourself

This single sign-on solution via AbsoluteTelnet/SSH requires that the target UNIX systems be joined to Active Directory using Centrify DirectControl. To see for yourself how DirectControl enables you to centrally control access to UNIX, Linux and Mac systems from Active Directory:

AbsoluteTelnet 5.0 from Celestial Software integrates with Active Directory to provide single sign-on to UNIX hosts running both DirectControl and OpenSSH servers by leveraging a user's existing credentials. Windows users running AbsoluteTelnet accessing UNIX systems running DirectControl and OpenSSH can be controlled centrally through Active Directory.

AbsoluteTelnet/SSH 5.0 Configuration

AbsoluteTelnet/SSH 5.0 running on a Windows computer that has been joined to Active Directory will support single sign-on to other computers that are properly configured for Kerberos-authenticated SSH connections. AbsoluteTelnet/SSH provides built-in support for Microsoft Kerberos-based authentication over SSH connections, so no additional configuration is required beyond simply selecting GSSAPI as the method of authentication when you are connecting to a remote system. UNIX systems running DirectControl and later versions of OpenSSH will provide the required Kerberos support to enable single sign-on for AbsoluteTelnet clients.

Using AbsoluteTelnet to Connect to a Remote DirectControl-Enabled System

The following instructions will show the options to select for a Kerberized SSH connection to a UNIX host.

  1. Launch AbsoluteTelnet/SSH 5.
  2. From the Options menu, choose Properties, and then click the Connection tab.
  3. Fill in the hostname of the server you want to connect to. Use the fully qualified domain name (FQDN) so the host can be found in Active Directory.
  4. The username field is filled in with the current Windows user. If the UNIX username is the same, leave this field alone. Otherwise, fill in the username of the UNIX account you are connecting to.
  5. Enable GSSAPI authentication and (optionally) the credential delegation.
  6. Click OK.
  7. On the File menu, choose Connect, or click the Connect button on the toolbar.

Summary

DirectControl integrates UNIX systems with Active Directory to provide a fully configured and automatically maintained MIT Kerberos client environment that enables applications such as OpenSSH and AbsoluteTelnet/SSH to securely and seamlessly authenticate users based on their initial login, leveraging the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.