APPLICATION NOTE
Secure, Active Directory-Based Single Sign-On with OpenSSH and Centrify
Using Centrify DirectControl and the DirectControl-enabled version of OpenSSH with Red Hat, Solaris, AIX, HP-UX and other non-Windows systems
Try DirectControl for Yourself
This version of OpenSSH has been enhanced to work seamlessly with DirectControl. To see for yourself how DirectControl enables you to centrally control access to UNIX, Linux and Mac systems from Active Directory:
SSH has become the defacto standard for administrators and users to securely access remote UNIX systems. The combination of the latest versions of OpenSSH supporting Kerberized connections, along with DirectControl's ability to directly integrate UNIX and Linux computers with Active Directory's Kerberos infrastructure, provides the administrator with the ideal environment for secured single sign-on. Users logging in from Windows computers will be able to securely access remote UNIX computers using their Active Directory credentials to automatically log in to the UNIX or Linux computer.
Centrify provides a DirectControl-enabled version of OpenSSH free of charge to help you be more productive and to accelerate your deployment. Customers and those evaluating DirectControl can download it from the Centrify Download Center. See below for more insight into how OpenSSH works and what you can do with it.
Centrify's unique Support for Open Source Software plan provides the same benefits as product support, including guaranteed service levels and other benefits.
Learn More About the DirectControl-Enabled OpenSSH
While many UNIX systems may have an sshd server installed, most will be older implementations of the sshd server that do not support Kerberos. Centrify provides a compiled version of the latest OpenSSH distribution to make it easier for you to install and use SSH with DirectControl for secured authentication via Kerberos to Active Directory.
Centrify has compiled the standard OpenSSH distribution unmodified, but in the compile process we linked OpenSSH with the DirectControl Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment. This provides several advantages, including:
The OpenSSH client and server are preconfigured to automatically support PAM and Kerberos.
There is no need for DNS-to-realm mapping because DirectControl knows the relationship between hosts and their SPNs.
There is no need for a .k5login file in the user's home directory since DirectControl can automatically map the UPN (User Principal Name) in the Kerberos ticket to the UNIX profile for the Active Directory username presented in the ticket.
DirectControl will accept connections to any of the computer's valid hostnames, either fully qualified or not, because all combinations are registered with Active Directory. This further reduces the dependency on accurate DNS entries to enable Kerberos to operate properly.
The installation process automatically updates the $PATH environment by adding /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users, making direct access to OpenSSH possible.
Supported Platforms
| Systems A-Z | 32-bit | 64-bit | ||
How to read this chart:
 = Supported
 = Recent Additions
 = Coming Soon
|
||||
 CentOS Linux |
2.1 x86 | |
 |
|
| 3.8 x86 | |
|
||
| 3.8 x86_64 | |
|
||
| 4.4 x86 | |
|
||
| 4.4 x86_64 | |
|
||
| 5.0 x86 | |
|
||
| 5.0 x86_64 | |
|
||
| Citrix XenServer |
4 | |
|
|
| Debian Linux |
3.0 x86 | |
|
|
| 3.1 x86 | |
|
||
| 3.1 x86_64 | |
|
||
| 4.0 x86 | |
|
||
| 4.0 x86_64 | |
|
||
| Hewlett Packard HP-UX |
11.00 PA-RISC | |
|
|
| 11.00 PA-RISC Trusted | |
|
||
| 11.11 PA-RISC | |
|
||
| 11.11 PA-RISC Trusted | |
|
||
| 11.22 Itanium | |
|
||
| 11.22 Itanium Trusted | |
|
||
| 11.23 PA-RISC | |
|
||
| 11.23 PA-RISC Trusted | |
|
||
| 11.23 Itanium | |
|
||
| 11.23 Itanium Trusted | |
|
||
| 11.31 PA-RISC | |
|
||
| 11.31 PA-RISC Trusted | |
|
||
| 11.31 Itanium | |
|
||
| 11.31 Itanium Trusted | |
|
||
| IBM AIX |
4.3.3 | |
|
|
| 5.1 | |
|
||
| 5.2 | |
|
||
| 5.3 | |
|
||
| 6.1 | |
|
||
| Novell SUSE Linux |
Ent. Server 8.0 x86 | |
|
|
| Ent. Desktop 9.0 x86 | |
|
||
| Ent. Server 9.0 x86 | |
|
||
| Ent. Server 9.0 x86_64 | |
|
||
| Ent. Server 9.0 PPC | |
|
||
| Ent. Desktop Pro 9.1 x86 | |
|
||
| Ent. Desktop Pro 9.2 x86 | |
|
||
| Ent. Desktop Pro 9.3 x86 | |
|
||
| Ent. Desktop 10.0 x86 | |
|
||
| Ent. Server 10.0 x86 | |
|
||
| Ent. Server 10.0 x86_64 | |
|
||
| OpenSUSE Linux |
10.1 x86 | |
|
|
| 10.1 x86_64 | |
|
||
| 10.2 x86 | |
|
||
| 10.2 x86_64 | |
|
||
| 10.3 x86 | |
|
||
| 10.3 x86_64 | |
|
||
| Oracle Enterprise Linux |
4.0 x86 | |
|
|
| 4.0 x86_64 | |
|
||
| 5.0 x86 | |
|
||
| 5.0 x86_64 | |
|
||
| Red Hat Linux |
7.2 x86 | |
|
|
| 7.3 x86 | |
|
||
| 8.0 x86 | |
|
||
| 9.0 x86 | |
|
||
| Red Hat Enterprise Linux |
Desktop 5.1 x86 | |
|
|
| Desktop 5.1 x86_64 | |
|
||
| AS/ES/WS 2.1 x86 | |
|
||
| AS/ES/WS 3.0 x86 | |
|
||
| AS/ES/WS 3.0 x86_64 | |
|
||
| AS/ES/WS 3.0 PPC | |
|
||
| AS/ES/WS 4.0 x86 | |
|
||
| AS/ES/WS 4.0 x86_64 | |
|
||
| AS/ES/WS 4.0 PPC | |
|
||
| AS/ES/WS 4.0 Itanium | |
|
||
| AS/ES/WS 5.0 x86 | |
|
||
| AS/ES/WS 5.0 x86_64 | |
|
||
| AS/ES/WS 5.1 x86 | |
|
||
| AS/ES/WS 5.1 x86_64 | |
|
||
| Red Hat Fedora |
Core 3 x86 | |
|
|
| Core 3 x86_64 | |
|
||
| Core 4 x86 | |
|
||
| Core 4 x86_64 | |
|
||
| Core 5 x86 | |
|
||
| Core 5 x86_64 | |
|
||
| 6 x86 | |
|
||
| 6 x86_64 | |
|
||
| 7 x86 | |
|
||
| 7 x86_64 | |
|
||
| 8 x86 | |
|
||
| 8 x86_64 | |
|
||
| Scientific Linux |
3.0.8 x86 | |
|
|
| 3.0.8 x86_64 | |
|
||
| 4.4 x86 | |
|
||
| 4.4 x86_64 | |
|
||
| 4.5 x86 | |
|
||
| 4.5 x86_64 | |
|
||
| 5.0 x86 | |
|
||
| 5.0 x86_64 | |
|
||
| Silicon Graphics IRIX |
6.5.28 MIPS | |
|
|
| 6.5.29 MIPS | |
|
||
| Sun Solaris |
2.6 SPARC | |
|
|
| 2.7 (7) SPARC | |
|
||
| 8 SPARC | |
|
||
| 9 SPARC | |
|
||
| 9 x86 | |
|
||
| 10 SPARC | |
|
||
| 10 x86 | |
|
||
| 10 x86_64 | |
|
||
| Ubuntu Linux |
Desktop 6.06 LTS x86 | |
|
|
| Desktop 6.06 LTS x86_64 | |
|
||
| Server 6.06 LTS x86 | |
|
||
| Server 6.06 LTS x86_64 | |
|
||
| Desktop 7.04 x86 | |
|
||
| Desktop 7.04 x86_64 | |
|
||
| Server 7.04 x86 | |
|
||
| Server 7.04 x86_64 | |
|
||
| Desktop 7.10 x86 | |
|
||
| Desktop 7.10 x86_64 | |
|
||
| Server 7.10 x86 | |
|
||
| Server 7.10 x86_64 | |
|
||
| VMWare ESX Server |
2.1.2 x86 | |
|
|
| 2.5 x86 | |
|
||
| 2.5.1 x86 | |
|
||
| 2.5.2 x86 | |
|
||
| 2.5.3 x86 | |
|
||
| 2.5.4 x86 | |
|
||
| 3.0 x86 | |
|
||
| 3.0.1 x86 | |
|
||
