There is a relatively new feature within the Centrify Identity Platform called ‘Use My Account’, and it was created with smart card users in mind. It allows users to log into a remote Linux machine via SSH, using Active Directory credentials that require smart card authentication. These Linux machines can exist internally or externally, so this feature is great for remote Admins who need to access both on-premise and Cloud Linux machines, while still maintaining compliance to their security policy requiring all access to be protected by their Active Directory smart card and Pin. The great part about this ‘Use My Account’ feature is that it solves these requirements without a VPN, and without the need for another Active Directory machine in the cloud, nor requiring any type of syncing of the on-premise AD to the cloud. Access is granted to specific Admins using AD Group memberships, allowing for simple RBAC management using familiar AD tools. Additionally these remote sessions will be audited and recorded, and all sessions will be available for real-time monitoring and termination by authorized security personnel.
A lot of Public Sector Administrators will find the above requirements familiar, as more and more are building out their hybrid networks with computer resources running in an external cloud, yet they are still required to maintain security compliance by requiring smart card authentication on all machines.
I have a video recording where I present the Centrify ‘Use My Account’ feature and how it solves the above requirements, along with instructions on how it was set up. The overall steps include:
- Pre-Requisites: A tenant within the Centrify Cloud
- Pre-Requisites: The Centrify Agent for Linux
- Install the Centrify Agent For Linux, and cloud join it to your tenant
- Agent Package: From Admin Portal: Click on ‘Downloads” on the left panel, choose correct Linux OS
- Use the “cenroll” command to join your Linux to your tenant
- Setup & Configure SSH
- Download the Master SSH key from the Admin Portal of your Centrify tenant
- Settings – Infrastructure – Security Settings - click on Download ‘Use My Account’ master SSH key
- Copy this master SSH key to your Linux machines, and modify sshd.conf file to know about this. A few other SSH variables are needed as well:
- Online documentation with instructions here, with specifics on modifying the SSHD Configuration file here
- Restart the SSHD service after any changes to the configuration file
- Turn on ‘Use My Account’ and ‘Public Access’ for the Linux machine from the Admin Portal
- Infrastructure – Systems -
- Settings: Scroll down and check the box for “‘Use My Account’ is configured on this system”
- Policy: Select Yes for ‘Allow access from a public network’
The video recording of my presentation, demo and setup of this new feature, and how it works for remote Linux Admins, is online here.