Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[How to] Force Kerberos SSH Authentication, and Disable SSH Public Key Authentication

11 April,19 at 11:50 AM

Joining Linux and UNIX machines to an Active Directory domain with Centrify Infrastructure Services has countless benefits, not the least of which is the ability to do away with SSH Public Key authentication. There are several good reasons to discontinue the use of SSH Keys. For a complete list of all of them, please reference the NIST Internal Report 7966.

 

I can save you some dry reading, and summarize it like this. If improperly managed, the use of SSH Keys can present a massive security risk. Even if every measure is taken to properly manage them, SSH key provisioning is still prone to human error, and after all, UNIX admins are only human.

 

The great news is this. With Centrify Infrastructure Services, you don’t need to manage SSH Keys. You can do away with them altogether. Even better, you can do away with them and enable Kerberos single sign-on authentication. Kerberos is a more secure authentication method because it cannot be spoofed, and it is not prone to human error.

 

In order to accomplish this, we are going to create two Microsoft Group Policy settings. The first policy setting will force the Centrify PuTTY client to always attempt to authenticate via Kerberos. The second policy setting will disallow SSH Public Key authentication.

 

In order for this to work, you must use the Centrify PuTTY program, and your UNIX/Linux machines must have the Centrify-Enabled OpenSSH package installed. Both are installed during the Centrify installation process, although the Centrify-Enabled OpenSSH package is optional.

 

If you are not using the Centrify PuTTY program, I would recommend that you do. It offers some very useful features out of the box that the standard PuTTY program does not. The Centrify PuTTY program is compiled with Kerberos support. In addition, the Centrify PuTTY settings can be configured centrally via group policy. This is important because we want to use Kerberos support, and we also want to force Kerberos authentication whenever possible.

 

Centrify provides a group policy administrative template specifically for the Centrify PuTTY program. This allows for granular control over all of the Centrify PuTTY settings. The first step is to install the group policy administrative template for the Centrify PuTTY program.

 

The Centrify PuTTY administrative template is available in both xml and admx formats.

  • The admx file, centrify_putty_settings.admx, is installed by default in the C:\Windows\PolicyDefinitions directory.
  • The xml file, centrify_putty_settings.xml, is installed by default in the same directory as the Centrify PuTTY program. The default location is C:\Program Files\Centrify\Centrify PuTTY.

 PuTTY-XML-file-location.jpg

 

In most cases it is best to use the XML template.

 

To install the centrify_putty_settings.xml template:

  1. Open the Group Policy Management Console and create or edit an existing Group Policy Object linked to a site, domain or OU that includes the Windows machines that have the Centrify PuTTY program.
  2. In the Group Policy Editor, expand Computer Configuration, then right-click Centrify Settings and select Add/Remove Templates.
  3. Click Add, then navigate to the directory that contains the xml file.
  4. Select the xml file, click Open to add the template, then click Close.

 Add-Remove-Template.jpg

 

Now that the administrative template is installed, we will want to enable the policy to always attempt to connect to remote systems using Kerberos. In the Group Policy Management Console, you should now see Centrify Putty Settings under Configuration\Policies\Centrify Settings.

 

  1. Navigate to Computer Configuration\Policies\Centrify Settings\Centrify Putty Settings\Connection\SSH\Kerberos
  2. Double-click the Attempt Kerberos auth (SSH-2) policy setting
  3. Select the Enabled radio button
  4. Set the Attempt Kerberos auth (SSH-2) dropdown selection to Always
  5. Click on Apply and OK

 AttemptSSH -Properties.png

 

You can force the policy to update on a Windows machine that has the Centrify PuTTY program by running gpupdate /force in a command prompt.

 

GPUpdate.png

 

Once the policy updates you will notice that the option Attempt Kerberos auth (SSH-2) is no longer configurable, and is greyed-out.

 

Attempt-Kerb-greyed-out.jpg 

 

I am going to preface the next part with a word of caution. We are going to disallow SSH public keys from being used, and this could have some adverse, unforeseen effects. It is not uncommon for UNIX/Linux administrators to use SSH public key authentication from within their scripts so that they can run unattended, as cron jobs. You will want to verify whether this is the case in your environment. Once you are clear to proceed, move on to the next steps. If you get stuck here, may I suggest that you look into Centrify Application to Application Password Management (AAPM)? Application to Application Password Management is outside of the scope of this article, but it is very cool, and it is worth looking into.

 

When the Centrify UNIX or Linux agent is installed, you are given the option to install the Centrify-Enabled OpenSSH component. It is a good idea to install the Centrify-Enabled OpenSSH server because it is enabled with GSSAPI, which allows us to do single sign-on using Kerberos. In addition to being compatible with Kerberos, the Centrify OpenSSH server can be configured centrally via Microsoft group policy.

 

Just like the Centrify PuTTY program, the Centrify-Enabled OpenSSH server has a group policy administrative template. Just as before, the administrative template is available in both xml and admx formats.

  • The xml file, centrify_unix_settings.xml is installed by default in the C:\Program Files\Common Files\Centrify Shared\Group Policy Management Editor Extension\policy directory.
  • The admx file, centrify_unix_settings.admx is installed by default in the C:\Windows\PolicyDefinitions directory.

 

In most cases it is best to use the XML template.

 

To install the centrify_unix_settings.xml template:

  1. Open the Group Policy Management Console and create or edit an existing Group Policy Object linked to a site, domain or OU that includes the UNIX or Linux machines with the Centrify-Enabled OpenSSH server.
  2. In the Group Policy Editor, expand Computer Configuration, then right-click Centrify Settings and select Add/Remove Templates.
  3. Click Add, then navigate to the directory that contains the xml file.
  4. Select the xml file, click Open to add the template, then click Close.

 

You should now see SSH Settings under Configuration\Policies\Centrify Settings.

 

  1. Navigate to Computer Configuration\Policies\Centrify Settings\SSH Settings
  2. Double-click the Add sshd_config properties policy setting
  3. Click the Enabled radio button and click on Add
  4. In the Property name text field, type PubkeyAuthentication
  5. In the Property value text field, type no

 Add-SSHD_config-Properties.jpg

 

  1. Click on OK
  2. Click on Apply and OK

 

Open a command line shell on a Linux or UNIX machine that has the Centrify OpenSSH server installed, and type adgpupdate. This will force the policy that we just created to update on the local machine.

 

To verify that the policy was successful, type cat /etc/centrifydc/ssh/sshd_config | grep Pub.

 

You should see an entry, PubkeyAuthentication no.

 

grep-Puib.jpg 

 

Managing SSH Public Keys can be difficult. Improperly managed SSH keys can pose a huge security risk. Even if you take every measure to properly manage them, SSH key provisioning is still prone to human error. Using Kerberos authentication is a much more secure method. Kerberos tickets can’t be spoofed, and Kerberos is not prone to human error. Centrify Infrastructure Services provides the ability to do away with SSH Key Authentication altogether. Not only that, it enables Kerberos single sign-on, which is more secure and easier to manage.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.