Here is a common situation that many of my federal customers are facing with their “smart card mandatory” implementations: Many of their IT admins have a multiuser smart card with 2 AD accounts mapped to it: The first one being their normal, standard AD account, and the second one being their Admin account. They login onto their desktops using their standard AD account and smart card pin, however only their Admin AD account is authorized to log into Unix/Linux machines, and this Admin account has been modified in Active Directory to require smart card for login. The Centrify Unix agent is configured to disallow passwords and allow SSO via Kerberos, but how do these users obtain a Kerberos ticket for their Admin account when they have logged onto their desktop using their standard account?
On Windows desktops this is solved using the built in “Run As” feature. These users can right click on PuTTY and choose “Run as different user”, choose their second Admin account, and Active Directory with prompt them for their smart card pin. After successfully authorizing to AD they will receive Kerberos tickets for this Admin account, which can then be used to SSO into the Centrified Unix machine using PuTTY. But what about those administrators who have a Mac or Red Hat Linux machine as their desktop?
The solution is to use the Centrify “sctool” command that comes with the Centrify agent installed on these Mac and Red Hat desktops, combined with the option of -a for doing an alternate PKINIT. The format is “sctool -a ” where is the second Admin account that is mapped to the smart card. This command will prompt for the pin and upon success will provide Kerberos tickets for this second Admin account. These Kerberos tickets will then be used to SSO onto a Unix machine when doing SSH using the Admin account.
A recap of the solution at a high level:
- Centrify Server Suite agents installed on all Unix/Linux machines, joined to AD, and configured to prevent users from logging in with passwords
- IT Admin personnel each have a second “admin” AD account, and these accounts are configured for smart card only in AD. Only these Admin accounts have been given Unix login access via Centrify
- IT Admins login to their Windows desktops and/or Centrified Mac & Red Hat desktops as their standard AD account, and through a standard, simple method they request AD Kerberos tickets for their Admin account, which prompt them for their pin. They then use these Kerberos tickets to SSO into a Centrified Linux machine as their Admin account
- On Windows, admins do a “Run as different user” to launch their PuTTY session using their Admin AD account, and they are prompted for their PIN
- On Macs and Red Hat desktops, admins use the Centrify command “sctool –a ” to get Kerberos tickets for their Admin AD account, and they are prompted for their PIN. Then they can use SSH with their Admin account, and it will use their Admin Kerberos tickets to SSO them into the Centrified Unix machine