login about faq

How do you integrate Tectia with Centrify?

asked Dec 27 '10 at 18:05

SSH%20KB's gravatar image

SSH KB ♦
509249246237


On your Windows Domain Controller Server

If you don't already have one, create a new group on the domain for the accounts that will be authenticating via Centrify.

Install Centrify DirectControl on the Windows domain controller (run setup.exe and answer the questions as a domain admin or administrator)

Run the Centrify DirectControl Configuration Wizard. Answer all questions.

Launch Centrify DirectControl, and Add the appropriate users to the zone you created in step 3.

Preparing the Unix/Linux server

Install Tectia Server if you haven't done so.

Test and make sure you can login using a local account before continuing. If you are having issues, please visit our

The following section applies if your environment is set up in a private network in which the systems are not receiving DNS services from the domain controller.

An example is a VM environment in which the Windows Domain Controller is also a VM as well as the other systems.

Change PEERDNS=yes to PEERDNS=no in the following file. (Red Hat/Fedora): /etc/sysconfig/network-scripts/ifcfg-eth0 (S.u.s.e.: /etc/sysconfig/network/ifcfg-eth-id-XX:XX:XX:XX:XX).

Change your DNS settings. Edit your /etc/resolv.conf file to point to the correct DNS server that your domain controller is on.

If your server hostname is still set to localhost or localhost.localdomain, you will want to set a name you want this computer to be recognized as in the domain. Edit the /etc/sysconfig/network file (HOSTNAME=your-servername)

If your domain controller server isn't set up on the DNS server you will have to add an entry to your hosts file for your domain controller's IP, along with adding the host name you gave in #3 as a alias to your localhost listing.

If you make any network changes above, you will have to execute the following before they take place: service network restart

Installing Centrify Agent and setting domain on the Unix/Linux server

Run the install.sh script (Located in same place where the agent packages are.) ./install.sh

You will need

The Active Directory domain

The Active Directory authorized user (Or administrator)

The password for that user

The name you want this computer to be recognized as in the domain

Zone name

Enable password authentication using PAM in SSH Tectia Configuration

To configure Linux/Unix password authentication you have to configure PAM. Use the keyboard-interactive authentication method when connecting to the Tectia Server. Add or adjust the "auth-keyboard-interactive" setting in the ssh-server-config.xml file. If all you have is the ssh-server-config-default.xml file, you should to copy it and rename the copied file to ssh-server-config.xml.

<submethod-pam dll-path="/lib/security/pam_centrifydc.so" />

Add the following to the /etc/pam.d/ssh-server-g3 (on Red Hat) Note: If the file doesn't exist, create it.

auth required /lib/security/pam_centrifydc.soaccount required /lib/security/pam_centrifydc.sopassword required /lib/security/pam_centrifydc.sosession required /lib/security/pam_centrifydc.so

Note: On AIX 5.3 you don't need to use PAM or keyboard-interactive. Just use basic password authentication.

link

answered Dec 27 '10 at 20:38

renaes's gravatar image

renaes ♦
2462

Sorry to touch an old answer... The above did not work for me on SUSE 12 and Tectia 6.4.10. This what worked for me...

in /etc/pam.d create new file called ssh-server-g3 with the following contents: (same as the original answer except I'm using lib64)

auth            required        /lib64/security/pam_centrifydc.so
account         required        /lib64/security/pam_centrifydc.so
password        required        /lib64/security/pam_centrifydc.so
session         required        /lib64/security/pam_centrifydc.so

in /etc/ssh2/ssh-server-config.xml (differs from the original answer in that I'm not declaring a path in submethod-pam)

   <authentication name="cheap-two-factor-auth" action="allow" password-cache="no">
        <auth-publickey require-dns-match="no" authorized-keys-directory="%D/.ssh2/authorized_keys" />
                <authentication name="domain-auth" action="allow">
                        <auth-keyboard-interactive>
                        <submethod-pam />
                        </auth-keyboard-interactive>
                </authentication>
    </authentication>

The above block is a cheap two factor auth... needing ssh keys and a domain pass before successful authentication.

link

answered Jul 11 '15 at 06:55

Matt's gravatar image

Matt
568913

edited Jul 11 '15 at 06:56

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×3
×1

Asked: Dec 27 '10 at 18:05

Seen: 5,089 times

Last updated: Jul 11 '15 at 06:56

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.