Centrify Resource Center Secure Remote Access to UNIX & Linux Using WRQ Reflection for Secure IT 6.0.1APPLICATION NOTE
Using WRQ Reflection for Secure IT 6.0.1
Published: 4 October 2005
Introduction
Joint AttachmateWRQ / Centrify Datasheet
DirectControl integrates Unix systems into Active Directory to enable centralized management of user authentication and authorization. Most users will have already authenticated to their Windows workstation and need to access the Unix system remotely over the Enterprise network. One of the benefits of using Active Directory and DirectControl is the ability to leverage the built-in Kerberos infrastructure to securely authenticate a user from one computer to the next as they need to access resources without requiring the user to re-submit authentication credentials.
Reflections for Secure IT 6.0.1 from AttachmateWRQ provides native support for both SSH and Kerberos enabling Windows users to seamlessly and securely access remote Unix systems that have been integrated into Active Directory with DirectControl and that are running a Kerberized version of an SSH server such as OpenSSH. The following instructions will guide you through configuring and connecting to a Unix computer using Reflections for Secure IT from a Windows computer.
Contents
Unix Computer Requirements
DirectControl needs to be installed and joined into an Active Directory Domain on the Unix computer that you will be connecting to. Additionally, you need to ensure that you have a SSH Server running on the Unix system and that it has been configured to use Kerberos for user authentication.
Centrify has made the latest version of OpenSSH available that has been compiled and configured for Kerberos based user authentication. Please see the Centrify Resource Center for more information on installing OpenSSH.
Reflections for Secure IT 6.0 Configuration
Reflections for Secure IT 6.0.1 running on a Windows computer that has been joined to Active Directory will support Single Sign-On to other computers which are properly configured for Kerberized SSH connections.
Reflections SSH Client provides built-in support for Microsoft Kerberos based authentication over SSH connections so no additional configuration is required beyond simply selecting GSSAPI/Kerberos as the method of user authentication to use when you are connecting to a remote system.
Connecting to a Remote System
The following instructions will show the options to select for a Kerberized SSH connection to a Unix host.
- Launch the SSH Client from the Reflections folder in your start menu, then select the Connection Setup… item from the Connection menu.
- Type the name of the remote Unix host that you want to connect to in the Hostname field, this should be a fully qualified hostname. For computers with DirectControl, you may type your Active Directory login name into the username field.
- Select the Security… button to configure the User Authentication type and check GSSAPI/Kerberos and deselect the other authentication methods.
- Select the GSSAPI tab to review the default settings as shown below. Selecting SSPI as the GSSAPI Provider will ensure that the current Microsoft Kerberos tickets are used for user authentication.
Summary
DirectControl provides a fully configured and automatically maintained MIT Kerberos client environment that is integrated with Active Directory to enable applications such as Reflections to securely authenticate the user based on the user's initial login and the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.
