customer currently has Quest (Dell) Authenticaion Services installed on their Linux servers (works similar to CA PIM UNAB). They want CA PAM to work in conjunction with Quest (Dell) Authenticaion Services in the following way:
1. User log into his Laptop using a smart-card authentication towards AD and hence receives a Kerberos ticket.
2. The user launches CA PAM UI
3. Via the PAM UI the user access a Linux system (using access method SSH) and is automatically logged in using the Kerberos ticket that was received in step 1. I.e. the PAM client need to be able to transfer the Kerberos ticket down to the Linux server.
Is this a working scenario?
Although desirable, CA PAM is not kerberized - for SSH Access Method it is only capable of passing username/password or public key credentials to accomplish the login to the target system.
I could envisage however using Putty (which IS kerberized) as a TCP Service in CA PAM, i.e. Windows Kerberos Ticket is utilised by Putty to do the Kerberos authentication against the Quest box.
What is obviously missing in this scenario is Session Recording however.
I just learned from
that obviously PAM's RDP applet IS capable of forwarding the Kerberos Ticket to the target Windows box for Authentication.
Vasyl, can you please comment if this is also possible for PAM's SSH Applet ?