Configuring PuTTY for Kerberos-Based Authentication to Linux & UNIX
How to implement Active Directory-based silent authentication for PuTTY to AIX, HP-UX, Red Hat, Solaris, SUSE Ubuntu, VMware and other non-Windows systems the Centrify Suite
PuTTY is a popular open source Windows utility that lets you log in to remote Linux and UNIX computers. (For more information about PuTTY, see the PuTTY Home Page.) The baseline PuTTY utility does not support Kerberos authentication, and is frequently deployed in environments where users log in using root, shared service or local accounts. To enhance security and enable single sign-on with your Active Directory account, Centrify delivers a packaged, tested and supported version of PuTTY that works seamlessly with UNIX and Linux systems that have been joined to Active Directory using Centrify DirectControl. Centrify also enables you to centrally configure security settings for PuTTY using Windows Group Policy. To learn more:
- How the Centrify-Enabled PuTTY Works
- Centrally Configuring PuTTY Using Windows Group Policy
- Security and Compliance Benefits of Using the Centrify-Enabled PuTTY
- How to Get the Centrify-Enabled PuTTY
- Supported Platforms
How the Centrify-Enabled PuTTY Works
When the Centrify DirectControl Agent is installed on a UNIX or Linux computer, it sets up a Kerberos environment in order to communicate securely with Active Directory. Centrify has recompiled the open source Windows PuTTY client with the DirectControl Kerberos libraries, enabling PuTTY to connect securely via SSH (Secure Shell) to DirectControl-managed systems. If a user has previously authenticated to Active Directory, they enjoy transparent single sign-on and are not challenged to log in again because the DirectControl-managed system will honor their Kerberos ticket. If a user has not previously authenticated to Active Directory, they will be challenged to log in. They can log in with their Active Directory credentials, or they can log in with any UNIX account that is managed within Active Directory using DirectControl. In either case, access to that computer is controlled through the user's Active Directory account, ensuring that access controls and Group Policies for that user are respected.
Centrify has added an SSH Kerberos property page to the PuTTY Configuration window (see the screenshot). When the Attempt Kerberos Auth (SSH-2) option is checked, the Centrify-Enabled version of PuTTY will try to connect to remote systems using Kerberos first. Additional options let you specify how PuTTY searches for computers to connect to, and how user names, Kerberos credentials, and passwords are handled. You can control these settings globally through Group Policy. Centrify provides a user manual that documents these settings (along with installation steps and other instructions).
Centrify has added only Kerberized SSH functionality. Other connections such as rlogin and telnet are not affected, and all other features remain the same as in the official PuTTY open source release. You can use the Centrify-Enabled version of PuTTY with systems that have not been secured through Active Directory using DirectControl, but of course you do not receive the security and compliance benefits of using the two together.
Centrally Configuring PuTTY Using Windows Group Policy
The Centrify installer for the Centrify-Enabled PuTTY includes a Group Policy Object administrative template that you can use to globally control the configurable PuTTY settings, including the Kerberos options for SSH connections that Centrify has added. For example, you can control:
- Whether Kerberos credentials can be passed to another SSH server.
- How PuTTY locates a target computer within trusted domains.
- How the UNIX account name is provided to the SSH server on the target computer.
- Whether users can specify alternative Kerberos credentials.
- How many times a password attempt is allowed.
Security and Compliance Benefits of Using the Centrify-Enabled PuTTY
The open source PuTTY utility does not support Kerberos authentication, an essential prerequisite for both network security and Active Directory-based authentication. When connecting through SSH, the open source PuTTY client transmits user names and passwords "in the clear" over the network, representing a significant security risk. It is also frequently deployed in environments where users log in using root, shared service or local accounts, which prevents security managers from applying "need to know" access controls for individual users, and prevents IT compliance auditors from linking specific user accounts with actions taken on systems hosting sensitive data.
By deploying the Centrify-Enabled PuTTY utility for remote access to DirectControl-managed UNIX and Linux systems, you gain the following benefits:
How to Get the Centrify-Enabled PuTTY
Centrify provides the Centrify-Enabled version of PuTTY free of charge with all editions of the Centrify Suite to help you be more productive and to accelerate your deployment. Customers and those evaluating DirectControl can download it from the Centrify Download Center.
Supported Platforms
| Systems A-Z | 32-bit | 64-bit | ||
|
||||
 Microsoft Windows |
XP |  |
||
| 2000 Pro | |
|||
| 2000 Server | |
|||
| 2003 | |
|||
| 2003 R2 | |
|||
| Vista | |
|||
= Currently supported.
= Available through our Early Access program. Ask your Centrify support or sales representative for access.
Even though desktop and server management via Group Policy started as a Windows concept, solutions such as DirectControl enable customers a way to achieve better interoperability between both Windows and Linux systems.
Jeremy Moskowitz
GPanswers.com
Author of "Group Policy, Profiles and IntelliMirror" and Group Policy Evangelist
GPTF.org