Using PuTTY for Kerberos-Based Authentication to UNIX and Linux Systems

Centrify's packaged, tested and supported version of PuTTY provides secure single sign-on to UNIX and Linux, plus the ability to centrally configure PuTTY settings using Active Directory Group Policy

PuTTY is a popular open source Windows utility that lets you log in to remote UNIX and Linux computers. The baseline PuTTY utility does not support Kerberos authentication, and is frequently deployed in environments where users log in using root, shared service or local accounts. To enhance security and enable single sign-on with your Active Directory account, Centrify delivers a packaged, tested and supported version of PuTTY that works seamlessly with UNIX and Linux systems that have been joined to Active Directory using Centrify DirectControl. Centrify also enables you to centrally configure security settings for PuTTY using Active Directory Group Policy. To learn more:

How the DirectControl-Enabled PuTTY Works

When the Centrify DirectControl Agent is installed on a UNIX or Linux computer, it sets up a Kerberos environment in order to communicate securely with Active Directory. Centrify has recompiled the open source Windows PuTTY client with the DirectControl Kerberos libraries, enabling PuTTY to connect securely via SSH (Secure Shell) to DirectControl-managed systems. If a user has previously authenticated to Active Directory, they enjoy transparent single sign-on and are not challenged to log in again because the DirectControl-managed system will honor their Kerberos ticket. If a user has not previously authenticated to Active Directory, they will be challenged to log in. They can log in with their Active Directory credentials, or they can log in with any UNIX account that is managed within Active Directory using DirectControl. In either case, access to that computer is controlled through the user's Active Directory account, ensuring that access controls and Group Policies for that user are respected.

Centrify has added an SSH Kerberos property page to the PuTTY Configuration window (see the screenshot). When the Attempt Kerberos Auth (SSH-2) option is checked, the DirectControl-enabled version of PuTTY will try to connect to remote systems using Kerberos first. Additional options let you specify how PuTTY searches for computers to connect to, and how user names, Kerberos credentials, and passwords are handled. You can control these settings globally through Group Policy. Centrify provides a user manual that documents these settings (along with installation steps and other instructions).

Centrify has added only Kerberized SSH functionality. Other connections such as rlogin and telnet are not affected, and all other features remain the same as in the official PuTTY open source release. You can use the DirectControl-enabled version of PuTTY with systems that have not been secured through Active Directory using DirectControl, but of course you do not receive the security and compliance benefits of using the two together.

Centrally Configuring PuTTY Using Active Directory Group Policy

The Centrify installer for the DirectControl-enabled PuTTY includes a Group Policy Object administrative template that you can use to globally control the configurable PuTTY settings, including the Kerberos options for SSH connections that Centrify has added. For example, you can control:

• Whether Kerberos credentials can be passed to another SSH server.
• How PuTTY locates a target computer within trusted domains.
• How the UNIX account name is provided to the SSH server on the target computer.
• Whether users can specify alternative Kerberos credentials.
• How many times a password attempt is allowed.

Security and Compliance Benefits of Using the DirectControl-Enabled PuTTY

The open source PuTTY utility does not support Kerberos authentication, an essential prerequisite for both network security and Active Directory-based authentication. When connecting through SSH, the open source PuTTY client transmits user names and passwords "in the clear" over the network, representing a significant security risk. It is also frequently deployed in environments where users log in using root, shared service or local accounts, which prevents security managers from applying "need to know" access controls for individual users, and prevents IT compliance auditors from linking specific user accounts with actions taken on systems hosting sensitive data.

By deploying the DirectControl-enabled PuTTY utility for remote access to DirectControl-managed UNIX and Linux systems, you gain the following benefits:

• IT Security. Kerberos provides a secure, encrypted connection to the remote computer to protect credentials as they move across the network. You can also centrally configure PuTTY through Group Policy so you can enforce a consistent security policy for the way users connect to sensitive systems.
• IT Governance. Enforcing the use of the DirectControl-enabled PuTTY for Active Directory-based authentication can ensure that users are not logging in using shared service accounts. The access controls (including Centrify's unique, granular Zone-based access controls) and policies set for that user will thus be enforced on the UNIX and Linux systems. (See Managing UNIX Generic and Service Accounts with Active Directory for a discussion of the risks and best practices.) Active Directory authentication links user activity to a specific Active Directory account, providing accountability and auditability.
• IT Infrastructure Optimization. Centrify provides a packaged and tested version of PuTTY that includes a standard Windows installer and full documentation. This helps you get PuTTY deployed quickly and consistently throughout your organization. For those customers who want it, Centrify's unique Support for Open Source Software plan provides the same benefits as product support, including guaranteed service levels and other benefits.

How to Get the DirectControl-Enabled PuTTY

Centrify provides the DirectControl-enabled version of PuTTY free of charge to help you be more productive and to accelerate your deployment. Customers and those evaluating DirectControl can download it from the Centrify Download Center. Centrify also provides a support plan that includes guaranteed service levels and other benefits.

Supported Platforms

See the PuTTY Home Page for more information.