Bosonic,

This is possible today on interactive logins of RHEL or Mac OS X workstations.

We've provided this capability for those platforms for years.

I'm a bit puzzled as of why you may want to do this for PuTTY sessions  (I would like to know your basic security requirement, not the implementation).  Let's look at the normal sequence of a smart card user:

• PuTTY is a Windows program
• In order to open PuTTY in the first place, in a SmartCard setting, you have to type in:
  • Your AD Username (something you know)
  • Your SmartCard pin (something you have + another secret)
• If you were to walk away from your station (you'd take your smartcard with you)  or if the screen saver times out  you have to go over the sequence again.

If you were to ask for the PIN again for PuTTY access, I think it may be received like an annoyance given that with the sequence above you're showing enough due diligence.

HOWEVER - You have additional options. 

Change the Authentication Pattern

With any version of Centrify, you can change the pattern based on the role and the criteria can be:

• The time they're doing it
• The collection of systems affected.

You can disable the "Password login and non-password login are allowed" checkbox:  What this effectively will do is only allow the user to log in as long as they have a valid TGT that they can only get if they sign-in with their smart card.  If their TGT expires, they'll have to reauth with AD and the PIN will be requested of them again.

With Centrify Suite 2016

You can ask for an additional factor like

• token or centrify mobile authenticator
• phone call (phone factor)
• SMS
• E-mail
• User-defined question

As long as you enable our Identity Service to work with your Centrify zones, you have additional factors that you can enforce as well.  This will work for interactive or SSH sessions with any client.

Maybe my Federal counterparts can chime-in to see if they've seen this requirement or configuration.

R.P

 22h

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:

Hi Robertson,

Thank you for the insight.

We have requirements that state that "the system must be configured to require the use of CAC, PIV compliant hardware tokens, or Alternate Logon Token (ALT) for authentication."  So, if a policy can be enabled that requires the user to enter their smartcard PIN that would satisfy the requirement.  Plus, we already enforce this behavior on the Windows side of the house when using remote desktop so enabling this on the Linux side will provide a level of consistency that the user-base will recognize as standard access protocol.

BTW, Traditional two-factor authentication will not work in this environment due to other requirements (physical and technical). 

Bosonic

Bosonic,

Are you with a government, either state of federal?   If so, there is some other options for using CAC/PIV cards for CSS and CIS, which are not generally seen in our commerical accounts.   I am John Kimberly, the Sr. SE for State Government.  If you can provide some more detail about your specific use case, there may be some additional information I can provide.   I have been working with NASA, and the US Dept of Treasury on this very subject, but your use case specifics would be helpful.

John

Navy base support so DISA requirements apply.

The use case is pretty simple.

1.  Log into a Windows 7 workstation using smartcard.

2. Launch PuTTY.

3. Select Linux server to log into.

4. Prompt the user to select card reader and enter PIN.

5. Complete login process

This process is identical to what we are doing with Windows at the moment except we use RDP for the remote session.

We want to be consistent across platforms in this regard.

Hi Bosinic, 

We have several Federal and Defense customers with the same requirement for Smart Card-based login for any resource they are authorized. These organizations satisfy this requirement by setting the AD User account to only accept login via Smart Card, eg. check the box in the user's Account tab labeled "Smart Card is required for interactive login". Once that is checked, the user is only able to login to AD with a Smart Card. Login to AD provides a Kerberos ticket which can then be used to login to downstream AD Integrated applications and servers. 

Windows systems support Smart Card redirection over the RDP protocol so that the remote Windows system can challenge the user for Smart Card verification which required PIN input. Linux and Unix access via SSH does NOT provide remote access to the Smart Card, nor does SSH support PKI based authentication (something we are looking into adding, but it's not there today). However, you can AD join your UNIX and Linux systems in order to support Kerberos login after Smart Card login to AD.  Centrify will refuse a password based login if AD is configured for Smart Card for interactive login. 

We are adding support for Microsoft Authentication Mechanism Assurance (https://technet.microsoft.com/en-us/library/dd391847(v=ws.10).aspx) which will add a special group to the user's Kerberos Pac that can be verified by the target system indicating that the user in fact authenticated to Active Directory with their Smart Card. This is not really needed if you force users to login to AD with Smart Card. 

The summary is Smart Card login to AD at the workstation to get a Kerberos TGT, then use Kerberos Service Tickets to get to downstream servers and apps, this is equivalent to Smart Card login to everything. You just need to ensure AD is configured for Smart Card login and all systems are joined to AD for Kerberos authentication after Smart Card login. 

Hope this helps. 

-David 

We have several Federal and Defense customers with the same requirement for Smart Card-based login for any resource they are authorized. These organizations satisfy this requirement by setting the AD User account to only accept login via Smart Card, eg. check the box in the user's Account tab labeled "Smart Card is required for interactive login". Once that is checked, the user is only able to login to AD with a Smart Card. Login to AD provides a Kerberos ticket which can then be used to login to downstream AD Integrated applications and servers. 

We have been using this method for quite some time for our Windows users.  The goal we have is PKI authentication based on smart card tokens in spite of operating system and Centrify appears to come closest to this goal.  We need to require smartcard/PIN authentication whenever a user needs to jump to another server or makes use of a web-based service, etc.  That includes an authenticated AD user trying to reach a Linux server via PuTTY.

Windows systems support Smart Card redirection over the RDP protocol so that the remote Windows system can challenge the user for Smart Card verification which required PIN input.

That is what we are doing now. 

Linux and Unix access via SSH does NOT provide remote access to the Smart Card, nor does SSH support PKI based authentication (something we are looking into adding, but it's not there today).

BUT the Centrify PuTTY client appears to be able to prompt the user with a pop-up for not only a username/password but there are selections in the pop-up that allow the user to select a card reader and enter a PIN.  THAT is what I'm looking to enable.  It's not in the PuTTY settings; so I'm thinking this has to be in the policy settings somewhere.

Thank you for the input.

Bosonic