Application Note

Configuring OpenSSH for Kerberos-Based Authentication to Linux & UNIX

How to implement Active Directory-based silent authentication for OpenSSH to AIX, HP-UX, Red Hat, Solaris, SUSE Ubuntu, VMware and other non-Windows systems using the Centrify Suite

SSH has become the de facto standard for administrators and users to securely access remote UNIX systems. The combination of the latest versions of OpenSSH supporting Kerberized connections, along with DirectControl's ability to directly integrate UNIX and Linux computers with Active Directory's Kerberos infrastructure, provides system administrators with the ideal environment for secured single sign-on. They can log in from Windows using their Active Directory credentials and then automatically and yet securely access remote UNIX or Linux computers.

Centrify includes a Centrify-enabled version of OpenSSH free of charge with both the Centrify Suite and Centrify Express to help you be more productive and to accelerate your deployment.

Get OpenSSH with Free Active
Directory Authentication

You can download the Centrify-enabled version of OpenSSH along with Centrify Express, our free Active Directory-based solution for authentication and single sign-on to cross-platform systems.

Features & Benefits of the Centrify-Enabled OpenSSH

While many UNIX systems may have an sshd server installed, most will be older implementations of the sshd server that do not support Kerberos. Centrify provides a compiled version of the latest OpenSSH distribution to make it easier for you to install and use SSH with DirectControl for secured authentication via Kerberos to Active Directory.

Centrify has compiled the standard OpenSSH distribution unmodified, but in the compile process we linked OpenSSH with the DirectControl Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment. This provides several advantages, including:

  • The OpenSSH client and server are preconfigured to automatically support PAM and Kerberos.
  • There is no need for DNS-to-realm mapping because DirectControl knows the relationship between hosts and their SPNs.
  • There is no need for a .k5login file in the user's home directory since DirectControl can automatically map the UPN (User Principal Name) in the Kerberos ticket to the UNIX profile for the Active Directory username presented in the ticket.
  • DirectControl will accept connections to any of the computer's valid hostnames, either fully qualified or not, because all combinations are registered with Active Directory. This further reduces the dependency on accurate DNS entries to enable Kerberos to operate properly.
  • The installation process automatically updates the $PATH environment by adding /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users, making direct access to OpenSSH possible.

Another advantage of Centrify-enabled OpenSSH is that it provides you a consistent and more up-to-date version of OpenSSH across your heterogeneous systems that are invariably running different versions of OpenSSH, including versions that may not have the latest security enhancements. For example, say you are running a mixed environment of Ubuntu 10.04, SUSE 11.2 and Fedora 13. That means you are running OpenSSH versions 5.3p1, 5.2p1 and 5.4p1 respectively. Centrify allows you to have a consistent and more up-to-date versions across your heterogeneous environment, that is also being continuously updated and fully supported by Centrify, which is another advantage.

That being said, Centrify provides Centrify-enabled OpenSSH as a convenience to you, but if you want to use the SSH provided by the OS vendor, or use a commercial SSH vendor, Centrify supports that too (and has fully tested our solution in all of these scenarios). Using our supplied OpenSSH is simply an installation choice, and not a requirement. The bottom line is Centrify gives you choice - use the Centrify-enabled OpenSSH with the advantages noted above, the "stock" OpenSSH, or a commercial SSH solution - and Centrify works well with the choice you want. For example, here's a how to video on how to use Centrify Express with stock SSH. Centrify has found that most IT organizations prefer consistency across all their platforms, hence the value of getting an OpenSSH or Samba distribution from a single vendor who supports multiple platforms. In the case of OpenSSH from Centrify, this guarantees support for GSS Key Exchange on all platforms in order to establish trust between hosts, a feature which is not part of the standard OpenSSH distribution. But in the end it is your choice, and choice is good.

Supported Platforms

Supported Operating Systems

Show More DetailSupported Supported   Recent Addition Recent Addition   Early Access Early Access   
Operating System Version 32-bit 64-bit
CentOS Linux
4, 5, 6 x86 Supported
4, 5, 6, 7 x86_64 Supported
Citrix XenServer
4, 5, 6 Supported
Debian Linux
5.0, 6.0, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6 x86 Supported
5.0, 6.0, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6 x86_64 Supported
Hewlett Packard HP-UX
11.11, 11.23, 11.31 PA-RISC Supported Supported
11.23, 11.31 Itanium Supported
IBM AIX
5.1, 5.2, 5.3, 6.1, 7.1, VIOS Supported Supported
Linux Mint
12, 13, 14, 15, 16, 17, LMDE 201204, LMDE 201303, LMDE 201403 x86 Supported
12, 13, 14, 15, 16, 17, LMDE 201204, LMDE 201303, LMDE 201403 x86_64 Supported
Mandriva Linux
One 2009, 2010, 2011 x86 Supported
Ent. Server 5, 5.2 x86 Supported
Ent. Server 5, 5.2 x86_64 Supported
SUSE Enterprise Linux
Desktop 10, 11 x86 Supported
Desktop 11 x86_64 Supported
Server 8, 9, 10, 11 x86 Supported
Server 9, 10, 11 x86_64 Supported
Server 9, 10, 11 PPC Supported Supported
Server 10 SP2, 11 SP1 S/390x Supported
Server 9, 10, 11 Itanium Supported
OpenSolaris
06/2009 SPARC Supported
11/2008, 06/2009 x86 Supported
11/2008, 06/2009 x86_64 Supported
OpenSUSE Linux
11, 12 x86 Supported
11, 12 x86_64 Supported
Oracle Enterprise Linux
4, 5, 6 x86 Supported
4, 5, 6, 7 x86_64 Supported
Oracle Solaris
8, 9, 10, 11, 11.1 SPARC Supported
9, 10, 11 x86 Supported
10, 11, 11.1 x86_64 Supported
Red Hat Enterprise Linux
Desktop 5, 6 x86 Supported
Desktop 5, 6, 7 x86_64 Supported
AS/ES/WS 3, 4, 5, 6 x86 Supported
AS/ES/WS 3, 4, 5, 6, 7 x86_64 Supported
AS/ES/WS 3, 4, 5, 6 PPC Supported Supported
AS/ES/WS 4, 5 Itanium Supported
AS/ES/WS 5, 6 S/390x Supported
Red Hat Fedora
9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 x86 Supported
9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 x86_64 Supported
Scientific Linux
4, 5, 6 x86 Supported
4, 5, 6 x86_64 Supported
Ubuntu Linux
6.06, 8.04, 8.10, 9.04, 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04 x86 Supported
6.06, 8.04, 8.10, 9.04, 9.10, 10.04, 10.10, 11.04, 11.10, 12.04, 12.10, 13.04, 13.10, 14.04 x86_64 Supported
VMware ESX Server
3.0, 3.5 x86 Supported
4.0, 4.1 x86_64 Supported
VMware vMA
4.0, 4.1, 5.0 x86_64 Supported
Operating System Version 32-bit 64-bit