APPLICATION NOTE

Using Reflections for Secure Unix 13.0.1

Published: 4 October 2005

Introduction

DirectControl integrates Unix systems into Active Directory to enable centralized management of user authentication and authorization. Most users will have already authenticated to their Windows workstation and need to access the Unix system remotely over the Enterprise network. One of the benefits of using Active Directory and DirectControl is the ability to leverage the built-in Kerberos infrastructure to securely authenticate a user from one computer to the next as they need to access resources without requiring the user to re-submit authentication credentials.

Reflections for Unix 13.0.1 from AttachmateWRQ provides native support for both SSH and Kerberos enabling Windows users to seamlessly and securely access remote Unix systems that have been integrated into Active Directory with DirectControl and that are running either a Kerberized version of an SSH server such as OpenSSH or a Kerberized telnet server. The following instructions will guide you through configuring and connecting to a Unix computer using Reflections for Unix from a Windows computer.

Contents

Unix Computer Requirements

DirectControl needs to be installed and joined into an Active Directory Domain on the Unix computer that you will be connecting to. Additionally, you need to ensure that you have a SSH Server running on the Unix system and that it has been configured to use Kerberos for user authentication.

Centrify has made both the latest version of OpenSSH as well as a set of Kerberos Tools available which have been pre-compiled to make installation and configuration simpler to support Kerberos based user authentication. Please see the Centrify Resource Center for more information on installing OpenSSH and the Kerberos Tools.

^ back to contents

Reflections for Unix 13.0.1 Configuration

Reflections for Unix running on a Windows computer that has been joined to Active Directory will support Single Sign-On to other computers which are properly configured for Kerberized SSH or Telnet connections.

Reflections for Unix client provides built-in support for Microsoft Kerberos based authentication over SSH and telnet connections. WRQ provides a Kerberos Manager application that provides control over the usage of Kerberos. The following instructions will guide you through setting up the Reflections Kerberos Manager for Active Directory, enabling single sign-on to Unix computers that are integrated into Active Directory with DirectControl.

• Launch the WRQ Reflections Kerberos Manager application, you should see your Active Directory principle name as the Full principle name and at a minimum you will see your Ticket Granting Ticket listed as the krbtgt for the Domain that you have logged into.
  
• Next select Configure Realms… from the Configure menu. You will see the Configuration Realm listing for your domain, select your domain and then click on Properties button.
• Make sure that the option to Use Windows login credentials is checked in the KDC tab.
  
• Next make sure that the KDC request sum type is set to RSA_MD5 and that the Application request sum type is set to RSA_MD5.
  
• Next click on the button to Configure Encryption Types… and make sure that the Requested KDC encryption types is defined so that DES_CBC_CRC and DES_CBC_MD5 are listed first.
  
• The Active Directory user will also need the Account Option for Use DES encryption types for this account set so that the Kerberos tickets will be encrypted using an algorithm that Reflections supports. This can be set using Active Directory Users and Computers and opening the user's Account properties.

^ back to contents

Connecting to a Remote System

Note: Reflections for Unix supports both the Secure Shell as well as a Kerberized telnet connection method for a secure Kerberized connection to the remote Unix computer, however, the remainder of this Application Note will describe how to use a Kerberized Telnet connection since the instructions for using Secure Shell are the same as the Instructions for using Reflections for Secure IT covered in a separate Application Note.

The following instructions will show the options to select for a Kerberized SSH connection to a Unix host.

• Launch the Host for Unix and OpenVMS Client from the WRQ Reflections folder in your start menu, then select the Connection Setup… item from the Connection menu.
  
• Select Telnet as the connection method, then type the name of the remote Unix host that you want to connect to in the Hostname field, this should be a fully qualified hostname.
• Select the Security… button to configure Reflections Kerberos as the authentication method on the Kerberos tab. You should check the Principal, Realm and User ID to ensure that they are the same as your Active Directory userid and domain. Also, you can select Forward ticket so that you can then connect to other computers from this Unix computer you are connecting. You can also select to Encrypt the data stream or not.
  
• Click OK here and then click Connect to establish the session on the remote Unix computer.

^ back to contents

Summary

DirectControl provides a fully configured and automatically maintained MIT Kerberos client environment that is integrated with Active Directory to enable applications such as Reflections to securely authenticate the user based on the user's initial login and the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.

^ back to contents