1 Summary - Abstract
This article describes an approach to integrating Centrify Server Suite for UNIX with a third-party MFA solution. We'll focus on PingID MFA from Ping Identity as our example. The key points this article conveys are:
- The recommended approach to implement a third-party MFA with Centrify Server Suite is through Centrify Identity Service. Whenever a CSS MFA policy is triggered, CSS UNIX agent calls into CIS which in turn brokers the request to the third-party MFA;
- For customers that don’t want to implement CIS to enable third-party MFA for their Unix systems, it is technically possible to configure a third-party MFA PAM module with the CSS UNIX agent without relying on Centrify Identity Service. However, there are several technical dependencies need to consider. Section 4 addresses some of the risks and issues with this approach.
Centrify wants our customer to "MFA Everywhere". To that end, it's important we make MFA enablement easy. Centrify provides a turnkey multi-factor authentication service which natively integrates into our:
- Centrify Identity Service (for web and mobile applications);
- Centrify Privilege Service (for Shared Account Password management access); and
- Centrify Server Suite (for secure OS access to Windows and UNIX operating systems)
With that said, some customers might have an existing MFA service they'd like to integrate with CSS enabled UNIX systems. To address this point, Centrify provides options for integrating third-party MFA solutions with Centrify Server Suite for UNIX.
2.1 Option 1: Third-party MFA for Centrify Server Suite through Centrify Identity Service
As an alternative to Centrify's MFA, you can enable third-party MFA to Centrify Server Suite protected UNIX servers via Centrify Identity Service. Specifically, customers can enable through Centrify Identity Service:
- OATH OTP Clients; or
Through this approach, whenever a CSS MFA policy triggers (e.g. either for server login or in response to executing a specific privileged command), the CSS UNIX agent calls into Centrify Identity Service, which in turn prompts the third-party MFA.
Here are the high-level steps for configuring Unix OATH OTP through CIS:
1) Configure an authentication profile. The steps are outlined here:
2) Configure the third-party OATH client. The steps are outlined here:
2.2 Option 2: Third-party MFA for Centrify Server Suite without Centrify Identity Service
For customers that do not want to implement Centrify Identity Service, there is another option to consider. Note that there are some trade-offs to consider which we cover later in this article. For shorthand, we'll call this the "MFA PAM Library Symlink" approach. In short, this approach entails creating a symlink from the CSS MFA authentication library to the third-party MFA vendor's UNIX PAM library.
- Section 3 outlines the configuration steps for this approach.
- Section 4 introduces some of the risks and issues associated with this approach.
3 Configuration Steps - Third-party MFA for Centrify Server Suite without CIS
Depending on the OS and version, you can expect to run into issues. With that in mind, I've been successful performing these steps on RHEL 6.1. As such, I suggest performing this exercise on the same OS version. I'll discuss some of the issues encountered under the Risks section.
3.1 Steps – on the target UNIX server
- Configure PingID MFA Service and SSH integration steps as described in Ping Identity's PingID Admin Guide (https://documentation.pingidentity.com/pingid/pingidAdminGuide/index.html):
- Verify that PingID MFA on the UNIX OS works as expected
- Install the CSS 2016.1 agent for RHEL and join the server to the domain and Centrify zone as usual
- Confirm that an Active Directory user can authenticate.
- Rename/Back-up the Centrify MFA PAM library files
- mv /lib64/security/pam_centrifydc_cloud.so /lib64/security/pam_centrifydc_cloud.so.orig
- mv /lib/security/pam_centrifydc_cloud.so /lib/security/pam_centrifydc_cloud.so.orig
- ln -s /lib64/security/pam_pingid.so /lib64/security/pam_centrifydc_cloud.so
- Create a symlink from Centrify's MFA PAM library to PingID's MFA PAM library
- ln -s /lib64/security/pam_pingid.so /lib64/security/pam_centrifydc_cloud.so
- CSS Policy Configuration
You can configure CSS policy to trigger an MFA challenge upon initial authentication to the server, when executing specific elevated commands through DZDO, or both.
- Policy setting for MFA authentication to the UNIX server
Configure a Centrify Role with MFA enabled and assign this role to an Active Directory user or group of users.
- Policy setting for MFA authentication when executing a specific privileged command
Configure a Centrify UNIX Right with MFA enabled.
Then assign the right to a Centrify Role. And then assign the Centrify Role to AD user or AD group of users.
- Test MFA Login and privileged command MFA challenge
- Run the adflush command on your UNIX server to clear the cache and pull down the updated CSS policies from Active Directory
- Attempt to login to the server with an Active Directory user assigned to the role requiring MFA. The user should see the PingID MFA challenge. Complete the MFA challenge and confirm the AD user successfully authenticates
- Next attempt to run a DZDO command with MFA enabled. The user should see the PingID MFA challenge. Complete the MFA challenge and confirm the command successfully executes.
4 Risks, Issues, Support Considerations
As the previous section illustrates, it is technically possible to integrate third-party MFA providers with Centrify Server Suite without relying on Centrify Identity Service. However, the approach may not always be feasible depending on your situation. There are some important considerations before pursuing this option.
The “MFA PAM Library Symlink " integration approach between Centrify Server Suite and PingID MFA described in this article may not work consistently across operating systems. The supportability question goes beyond aligning OS versions supported by Centrify Server Suite and PingID MFA.
For example, recently one customer tested the “MFA PAM Library Symlink” approach on RHEL (version 6 & 7) and AIX (version 6 and 7). The customer successfully configured PingID MFA with Centrify Server Suite on RHEL 6 without issues reported thus far.
However, for the other OS versions mentioned above, the “MFA PAM Library Symlink” approach failed. For example, on AIX shared libraries are proving problematic. On RHEL 7, the customer observed segmentation faults during the MFA authentication challenge. In this situation, the customer and both vendors all need to work together to “untangle” the issue. At the time this article was posted, a solution hasn’t been found yet for this specific problem on RHEL 7. I’ll update the article after a solution is found.
Section 3 shows that it is possible to directly integrate a third-party MFA PAM module on the same UNIX host the CSS agent (e.g. MFA PAM Library Symlink integration). By contrast, section 4 illustrates some important supportability concerns with the MFA PAM Library Symlink integration. With that in mind, the recommended approach for enabling CSS for UNIX with a third-party MFA provider is to: 1) integrate the third-party MFA (either OATH or RADIUS) within Centrify Identity Service; and 2) simply configure CSS MFA policies through Access Manager. So whenever a CSS policy requires an MFA challenge, CSS calls Centrify Identity Service wherein the third-party MFA is engaged.
The Centrify Identity Service based approach offers some important benefits:
- The third-party MFA integration point for this use case is configured centrally in one place – Centrify Identity Service;
- Integrating the third-party MFA with Centrify Identity Service insulates the third-party MFA from the various idiosyncrasies that exist between OS vendors and even OS versions from the same vendor; and
- By placing the third-party MFA integration point in Centrify Identity Service, the onus for the OS level authentication software falls onto one vendor – Centrify. To that point, no one comes close to Centrify’s R&D team when it comes to: 1) their knowledge of UNIX authentication; and 2) their proven capacity and commitment to delivering security solutions across numerous UNIX flavors.