Authenticating with a Single-Use SSH Certificate

In some environments, it is useful to be able to log on to selected computers using authentication that doesn’t require a password. The Use My Account feature allows you to enable secure shell sessions that do not require a password for the following Server Suite-managed computers:

  • Computers joined to an Active Directory domain using the Server Suite Agent for *NIX or Server Suite Agent for Windows.
  • Computers registered in the Privileged Access Service using the Cloud Client for Linux or Cloud Client for Windows.

For example, if you use a smart card to authenticate your identity, authentication relies on a public and private key exchange using encrypted certificates instead of a password or personal identification number.

This feature is now supported for PAS web-based SSH client sessions and if you are accessing a target system using native SSH clients.

The following is an overview of the steps required to enable Use My Account using the PAS browser-based secure shell client (detailed instructions are provided in subsequent sections):

  1. Verify the computers you want to access remotely meet basic system requirements. For details, see Prerequisites for Use My Account.
  2. Determine which SSH daemon version is running on the target system. For details, see Confirming the SSHD version.
  3. Download the SSH master key file, which is a public file that must be installed on each target system you want to access. For details, see Downloading the SSH Master Key File.
  4. Update the system settings in the Admin Portal to identify the computers you have configured to use the SSH master key and existing accounts. For details, see Updating System Settings to Allow Use My Account.
  5. Modify the sshd_config file on each target system. For details, see Modifying the SSHD configuration file for the Cloud Client.

Prerequisites for Use My Account

To use the Use My Account feature, your environment must meet the following minimum requirements:

  • Privileged Access Service 18.3 or later

  • Delinea-compiled or standard/native OpenSSH version 7.4 or later

  • The Cloud Client for Linux version 18.3 or later

  • Brokered authentication components from release 2018 or later

    You cannot use the feature to log on with a federated user account.

Confirming the SSHD version

Perform the following procedures to determine which of the following SSHD versions your system is using:

  • Standard OpenSSH (used with Cloud Client and Server Suite Agent configurations)
  • Delinea-compiled OpenSSH (used with Server Suite Agent configurations only)

To confirm the SSHD version you are using:

  1. Access the target UNIX system where you intend to download the SSH master key file.

  2. Run the following command to determine which SSH daemon is running (the standard OpenSSH or Delinea-compiled version):

    >ps -ef | grep sshd

  3. Note which SSH daemon is running:

    If the result is: /usr/sbin/sshd, you are running the standard OpenSSH version.

    If the result is: /usr/share/centrifydc/sbin/sshd, you are running the Delinea-compiled version.

  4. Next you need to download the SSH master key file. For details, see Downloading the SSH Master Key File.

Downloading the SSH Master Key File

Download the SSH master key file onto each target system you want to access. The SSH master key file is a public file that you can download using the Admin Portal or a UNIX command line.

To download the SSH master key file from the Admin Portal:

The following must be performed on the target system.

  1. In the Admin Portal, click Settings, then click Resources to display the settings available for Privileged Access Service.

  2. Click Security Settings.

  3. Click Download ‘Use My Account’ master SSH key.

    alt

  4. Click the link to download the file, then click OK.

  5. Rename the ca.pub file you just downloaded to:

    centrify_tenant_ca.pub.

  6. Save the SSH master key file you just downloaded to one of the following locations depending on your SSHD version:

    • For the standard OpenSSH version, save the SSH master key file to:
      /etc/ssh/centrify_tenant_ca.pub
    • For the Delinea-compiled OpenSSH version, save the SSH master key file to:
      /etc/centrifydc/ssh/centrify_tenant_ca.pub
  7. Now that you have downloaded the SSH master key file and saved it, you need to update the system settings to allow Use My Account, see Updating System Settings to Allow Use My Account

To download the SSH master key file from a UNIX command line

  1. Execute a wget or curl command to download the SSH master key file from a UNIX command line.

    • If you are running the standard OpenSSH package enter:

      curl -o /etc/ssh/centrify_tenant_ca.pub https://\<customer tenant URL\>/servermanage/getmastersshkey

      For example, if the customer-specific tenant URL is abc1234.my.centrify.net:

      curl -o /etc/ssh/centrify_tenant_ca.pub https://abc1234.my.centrify.net/servermanage/getmastersshkey

    • If you are running the Delinea-complied OpenSSH package enter:

      curl -o /etc/centrify/ssh/centrify_tenant_ca.pub https://\<customer tenant URL\> /servermanage/getmastersshkey

      For example, if the customer-specific tenant URL is abc1234.my.centrify.net:

      curl -o /etc/centrify/ssh/centrify_tenant_ca.pub https://abc1234.my.centrify.net/servermanage/getmastersshkey

  2. Save the SSH master key file you just downloaded to one of the following locations depending on your SSHD version:

    • For the standard OpenSSH version, save the SSH master key file to:
      /etc/ssh/centrify_tenant_ca.pub
    • For the Delinea-compiled OpenSSH version, save the SSH master key file to:
      /etc/centrifydc/ssh/centrify_tenant_ca.pub
  3. Now that you have downloaded the SSH master key file, you need to update the system settings to allow Use My Account, see Updating System Settings to Allow Use My Account

Updating System Settings to Allow Use My Account

After downloading the SSH master key file, you can modify the system settings to allow any user with view permissions and an account on that system to log on.

To enable Use My Account

  1. In the Admin Portal, click Resources, then click Systems to display the list of computers and network devices.

  2. Select a system to display system-specific details.

  3. Select Settings and then select Use My Account to enable secure shell sessions without a password.

    alt

    Once the Use My Account option is enabled for a system, the action is visible to all users even if they don’t have an account available. If users without an account select the action, however, the logon attempt will fail with an error message.

    When logging in as an Active Directory user on an Active Directory-joined machine, you will see a dialog box asking to enter a username.

  4. Next you need to modify the SSHD configuration file (see one of the instructions below). Select the instruction applicable to your configuration.

Modifying the SSHD configuration file for the Cloud Client

If a computer is registered in the Privileged Access Service using the Cloud Client, do the following:

  1. Locate the sshd_config file, located here:

    vi /etc/ssh/sshd_config

  2. Locate or add these values to the file:

    TrustedUserCAKeys /etc/ssh/centrify_tenant_ca.pub

    ChallengeResponseAuthentication yes

    UsePAM yes

On some more recent OS's the ChallengeResponseAuthentication parameter may have been replaced with KbdInteractiveAuthentication parameter.

  1. Restart the sshd program after updating the configuration for the changes to take effect.

    For example, as root you might run one of the following commands to restart the daemon:

    • systemctl restart centrify-sshd

    • service centrify-sshd restart

      If you are using the OpenSSH version of SSHD, the following commands can be used to restart the daemon:

    • Service sshd restart

    • Sudo systemctl restart sshd

Modifying the SSHD Configuration File for the Server Suite Agent

If a computer is joined to an Active Directory domain using the Server Suite Agent, add lines similar to the ones indicated in this procedure to specify the name and location of the downloaded SSH master key file in the sshd_config file.

  1. Locate the sshd_config file based on the following:

    • If you are using standard OpenSSH, use the following file: /etc/ssh/sshd_config
    • If you are using Delinea-compiled OpenSSH, use the following file: /etc/centrifydc/ssh/sshd_config
  2. Determine the computer type and then set the AuthorizedPrincipalsCommand property in the sshd_config file to one of the following:

    Computer Type SSHD Config File Line
    Standard TrustedUserCAKeys /etc/ssh/centrify_tenant_ca.pub
    AuthorizedPrincipalsCommandUser root
    AuthorizedPrincipalsCommand /usr/bin/adquery user -P %u
    CoreOS AuthorizedPrincipalsCommand /usr/bin/adquery user -P %u

  3. Restart the sshd program after updating the configuration for the changes to take effect.

    For example, as root you might run one of the following commands to restart the daemon:

    • systemctl restart centrify-sshd
    • service centrify-sshd restart

Logging on with an expired password

If you want to allow users to log on to Delinea-managed computers even if their password has expired in Active Directory, there are additional configuration steps you must perform.

  • On each Delinea-managed computer where you want to support the Use My Account feature, open the centrifydc.conf file (etc/centrifydc/centrifydc.conf) and verify the following parameter is set to true or not set (the default is true):

    pam.allow.password.expired.access: true

  • Then edit the appropriate files as shown below:

    System Type Edit File
    Red Hat Linux computers
    (system-auth )
    - Access the /etc/pam.d/system-auth file.
    - In the auth line add deny_pwexp.
    - In the account line add skip_pwexp_check.
    For example:
    auth sufficient pam_centrifydc.so deny_pwexp ...
    account sufficient pam_centrifydc.so skip_pwexp_check
    SuSE Linux computers
    (common-auth and common-account)
    - Access the /etc/pam.d/common-auth file.
    - Edit the auth line.
    - Access the /etc/pam.d/common-account file.
    - Edit the account line.
    Solaris, HPUX, and AIX with standard SSHD
    (pam.conf)
    - Access the /etc/pam.conf file.
    - Edit the auth and account lines for ssh service.
    For example:
    ssh auth sufficient pam_centrifydc deny_pwexp
    ...
    ssh account sufficient pam_centrifydc skip_pwexp_check

Changes to the auth and account settings affect all login-related services.