Symantec Privileged Access Management

 View Only
Expand all | Collapse all

Automatically login towards a Linux host using a Kerberos ticket

Jump to Best Answer
  • 1.  Automatically login towards a Linux host using a Kerberos ticket

    Broadcom Employee
    Posted Mar 28, 2017 03:03 AM

    Hi,

    customer currently has Quest (Dell) Authenticaion Services installed on their Linux servers (works similar to CA PIM UNAB). They want CA PAM to work in conjunction with Quest (Dell) Authenticaion Services in the following way:

     

    1. User log into his Laptop using a smart-card authentication towards AD and hence receives a Kerberos ticket.

    2. The user launches CA PAM UI

    3. Via the PAM UI the user access a Linux system (using access method SSH) and is automatically logged in using the Kerberos ticket that was received in step 1. I.e. the PAM client need to be able to transfer the Kerberos ticket down to the Linux server.

     

    Is this a working scenario?

     

    Regards

    Per



  • 2.  Re: Automatically login towards a Linux host using a Kerberos ticket
    Best Answer

    Broadcom Employee
    Posted Mar 28, 2017 03:26 AM

    Hello Per,

     

    Although desirable, CA PAM is not kerberized - for SSH Access Method it is only capable of passing username/password or public key credentials to accomplish the login to the target system.

     

    I could envisage however using Putty (which IS kerberized) as a TCP Service in CA PAM, i.e. Windows Kerberos Ticket is utilised by Putty to do the Kerberos authentication against the Quest box.

     

    What is obviously missing in this scenario is Session Recording however.

     

    Cheers,

    Andreas



  • 3.  Re: Automatically login towards a Linux host using a Kerberos ticket

    Broadcom Employee
    Posted Mar 29, 2017 09:02 AM

    I just learned from

     

    https://communities.ca.com/thread/241774644

     

    that obviously PAM's RDP applet IS capable of forwarding the Kerberos Ticket to the target Windows box for Authentication.

     

    @ shyva01@ca.com

    Vasyl, can you please comment if this is also possible for PAM's SSH Applet ?