How do you integrate Tectia with Centrify?
asked Dec 27 '10 at 18:05
SSH KB ♦
On your Windows Domain Controller Server
If you don't already have one, create a new group on the domain for the accounts that will be authenticating via Centrify.
Install Centrify DirectControl on the Windows domain controller (run setup.exe and answer the questions as a domain admin or administrator)
Run the Centrify DirectControl Configuration Wizard. Answer all questions.
Launch Centrify DirectControl, and Add the appropriate users to the zone you created in step 3.
Preparing the Unix/Linux server
Install Tectia Server if you haven't done so.
Test and make sure you can login using a local account before continuing. If you are having issues, please visit our
The following section applies if your environment is set up in a private network in which the systems are not receiving DNS services from the domain controller.
An example is a VM environment in which the Windows Domain Controller is also a VM as well as the other systems.
Change PEERDNS=yes to PEERDNS=no in the following file. (Red Hat/Fedora): /etc/sysconfig/network-scripts/ifcfg-eth0 (S.u.s.e.: /etc/sysconfig/network/ifcfg-eth-id-XX:XX:XX:XX:XX).
Change your DNS settings. Edit your /etc/resolv.conf file to point to the correct DNS server that your domain controller is on.
If your server hostname is still set to localhost or localhost.localdomain, you will want to set a name you want this computer to be recognized as in the domain. Edit the /etc/sysconfig/network file (HOSTNAME=your-servername)
If your domain controller server isn't set up on the DNS server you will have to add an entry to your hosts file for your domain controller's IP, along with adding the host name you gave in #3 as a alias to your localhost listing.
If you make any network changes above, you will have to execute the following before they take place: service network restart
Installing Centrify Agent and setting domain on the Unix/Linux server
Run the install.sh script (Located in same place where the agent packages are.) ./install.sh
You will need
The Active Directory domain
The Active Directory authorized user (Or administrator)
The password for that user
The name you want this computer to be recognized as in the domain
Enable password authentication using PAM in SSH Tectia Configuration
To configure Linux/Unix password authentication you have to configure PAM. Use the keyboard-interactive authentication method when connecting to the Tectia Server. Add or adjust the "auth-keyboard-interactive" setting in the ssh-server-config.xml file. If all you have is the ssh-server-config-default.xml file, you should to copy it and rename the copied file to ssh-server-config.xml.
Add the following to the /etc/pam.d/ssh-server-g3 (on Red Hat) Note: If the file doesn't exist, create it.
auth required /lib/security/pam_centrifydc.soaccount required /lib/security/pam_centrifydc.sopassword required /lib/security/pam_centrifydc.sosession required /lib/security/pam_centrifydc.so
Note: On AIX 5.3 you don't need to use PAM or keyboard-interactive. Just use basic password authentication.
answered Dec 27 '10 at 20:38
Sorry to touch an old answer... The above did not work for me on SUSE 12 and Tectia 6.4.10. This what worked for me...
in /etc/pam.d create new file called ssh-server-g3 with the following contents: (same as the original answer except I'm using lib64)
in /etc/ssh2/ssh-server-config.xml (differs from the original answer in that I'm not declaring a path in submethod-pam)
The above block is a cheap two factor auth... needing ssh keys and a domain pass before successful authentication.