Centrify Resource Center

Home  |  Centrify Resource Center  |  Centrify Suite Resources  |  Remote Access Tools for Linux & UNIX
Application Note

Secured Single Sign-on with SecureCRT 5.0

Published: October 2005

Introduction

DirectControl integrates Unix systems into Active Directory to enable centralized management of user authentication and authorization. Most users will have already authenticated to their Windows workstation and need to access the Unix system remotely over the Enterprise network. One of the benefits of using Active Directory and DirectControl is the ability to leverage the built-in Kerberos infrastructure to securely authenticate a user from one computer to the next as they need to access resources without requiring the user to re-submit authentication credentials.

SecureCRT 5.0 from VanDyke Software provides native support for both SSH and Kerberos, enabling Windows users to seamlessly and securely access remote Unix systems that have been integrated into Active Directory with DirectControl and that are running a Kerberized version of an SSH server such as OpenSSH. This application note guides you through the configuration of SecureCRT in order to seamlessly access a Unix system using Kerberos and SSH.

Contents

Unix Server Configuration

DirectControl needs to be installed and joined into an Active Directory Domain on the Unix computer that you will be connecting to. Additionally, you need to ensure that you have a SSH Server running on the Unix system and that it has been configured to use Kerberos for user authentication.

Centrify has made the latest version of OpenSSH available that has been compiled and configured for Kerberos based user authentication. Please see the Centrify Resource Center for more information on installing OpenSSH.

^ back to contents

SecureCRT 5.0 Configuration

SecureCRT 5.0 running on a Windows computer that has been joined to Active Directory will support Single Sign-On to other computers which are properly configured for Kerberized SSH connections. SecureCRT provide built-in support for Microsoft Kerberos based authentication over SSH connections, so no additional configuration is required beyond simply selecting GSSAPI as the method of authentication when you are connecting to a remote system.

Connecting to a Remote System

The following instructions will show the options to select for a Kerberized SSH connection to a Unix host.

  1. Launch SecureCRT 5.0 and you should see the Quick Connect dialog, if not simply select File, then Quick Connect.
  2. Type the name of the remote Unix host that you want to connect to in the Hostname field.
  3. For computers with DirectControl, you may type your Active Directory login name into the username field.
  4. In the Authentication list, deselect all of the options except for GSSAPI. The default properties for GSSAPI will work properly so you do not need to change them, however if they have been changed you should set them to the MS Kerberos Method and Full Delegation.
  5. Click Connect and you should next see that you have been logged into the remote Unix host without having to type in your password.

^ back to contents

Summary

DirectControl provides a fully configured and automatically maintained MIT Kerberos client environment that is integrated with Active Directory to enable applications such as SSH and SecureCRT to securely authenticate the user based on the user's initial login and the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.

For more information on configuring and installing OpenSSH:

^ back to contents

View a 5-Minute Demo
  Try It, Buy It Download a trial, get pricing info, or contact Sales.