Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1883: Unable to receive a Kerberos ticket upon login when using public key method

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: Centrify DirectControl-Enabled OpenSSH.

Question: 
When a user uses ssh and public/private key pair method to access a system running Centrify, the user does not receive a kerberos ticket on login.  Is their a recommended configuration for Centrify and SSH that will solve this problem?  For this particular case, the customer does not want to use a kerberos key for passwordless connection instead use the public-key authentication.

Answer:
1) Centrify does NOT and cannot change any default behavior of OpenSSH source code as per GPL hence whatever functionality it offers is how it works in Centrify OpenSSH too.
 
2) Centrify compiles OpenSSH with Kerberos support.
 
3) Centrify understands that "Public Key authentication method cannot get Kerberos tickets for users" and  we do NOT have any special configuration parameters to achieve this. To get Kerberos tickets as part of login either please use "interactive login using username/password" or Kerberos authentication.

Additional notes:
The below link shows that even stock SSH does not support this method. This link was provided as a courtesy. Centrify does not take any responsibility for the authenticity or if the link itself becomes unavailable over a period of time. 

http://sial.org/howto/openssh/publickey-auth/
 
Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions


 

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-3925: How to add Centrify parameter to a group policy