Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

AD Bridging & Kerberos vs PuTTY-CAC

11 April,19 at 11:50 AM

          As more federal organizations move toward enforcing smart card mandatory policies, I often get asked about how the Centrify agent on Unix/Linux works with SSH in terms of complying with these mandates.  Additionally, many IT personnel have used PuTTY-CAC and want to know the difference between how it works and how the Centrify agent supports the use of smart cards.   To begin, we need to review the basics of the SSH protocol and the use of SSH keys.


          The SSH protocol itself does not support smart cards directly – it cannot “reach back across” the network and read a smart card.  With Windows RDP there is normally a USB-forward of your local smart card so that the remote windows system thinks the smart card is actually local, and there is no equivalent within Unix/Linux SSH.  When you SSO using SSH keys, the trust and login is allowed because there are keys on both sides – the sender and the receiver both have a copy.  However this is completely separate from any AD authentication.  PuTTY-CAC is simply another form of SSO using SSH keys, with the added security that the local sender’s keys are derived from a certificate on the smart card, which are protected by a pin.  But the SSH protocol itself does not have any knowledge of a smart card, it is simply using SSH keys.  And again this authentication via keys is separate from AD authentication, and additionally requires the on-going management and proper placement of SSH keys.  
          What the Centrify agent for Unix/Linux provides is Active Directory based authentication, including SSO using Kerberos tickets obtained from AD authentication. We have many federal customers enforcing HSPD-12 smart card compliance by enforcing smart card logins for AD authentication at the desktops, and using the corresponding Kerberos tickets to SSO to Centrified Unix/Linux machines.  The Centrify agent can also disallow password logins for AD accounts, so therefore the only access to these Unix/Linux machines is via a Kerberos ticket obtained from a smart card authentication.   Again we have many federal customers doing exactly this with their Centrify agents deployed across thousands of Unix/Linux servers.  For a demonstration of this, please contact myself or your local Centrify Systems Engineer.