Monday, June 09, 2008

Microsoft on OpenSSH on Linux (and what the parrot saw)

I'm not sure why this post from Microsoft on OpenSSH on Linux just appeared, but it did. The document referenced is marked October, 2007.

In any case, the document explains, in little detail, what you need to do to set up OpenSSH and Kerberos so you can achieve single sign-on between Linux systems and Windows desktops through the use of your Active Directory credential.

As the author states, the main benefit for going through this is:

...many administrators currently use SSH for remote access management, utilizing Kerberos in this way allows an administrator to standardize to one remote access tool and centralize all authentication information.

What I would like to point out is the difference between the Open Source approach that the author proposes versus what Quest does with their Vintela Authentication Services product. You can also check out our work in the OpenSSH area too, here.

The author starts by stating:

On the Linux system, I have installed the following tools (Package names from Fedora Core 5):
 openssh
 openssh-server
 samba-common
 samba-client
 krb5-workstation
 krb5-libs

On the Windows side, I installed the following tools:
 Windows Support Tools

The first point I want to make is that the 6 steps mentioned around Fedora Core 5 are not just point, click and go installation steps. Put on your heavy gloves and get ready for some lifting. Anyway, let's assume you're a Linux guru and you breeze through those parts. The main points I want to bring to your attention are the following:

At a high-level the value in VAS is the same but Quest's value-add is:

  • Simpler install
  • Consistent install across more than just Linux (e.g., Unix!)
  • All the additional ‘value-add’ on top of core VAS (Group Policy is a good example)
  • More ‘enterprise ready’ (one package to install, support, tunable)

Specific examples:

  • The doc described how to manually configure Kerberos – VAS automates this configuration
  • The doc required the use of Samba to ‘join’ the linux system to AD – VAS replaces the need for Samba
  • The instructions and examples were for a single platform (Linux) – VAS expands the value to a bigger Unix/Linux/Mac picture
  • What happens if Active Directory isn't available? (i.e., network problems because we all know that AD would never just be down) - VAS provides a patent-pending "disconnected mode" for exactly this scenario or the more common scenario: You're on your laptop at home versus being at the office!

And a big one…the docs says:

Identity management is beyond the scope of this paper. Kerberos provides authentication but not identity management. If OpenSSH cannot find an identity relating to the login credentials, access will be denied.

I think you might actually need a bit of identity management with that OpenSSH solution. Additionally, scaling this up to support multiple Linux and Unix variants running on 32-bit and 64-bit systems would be a job that I'd jump at - not.

In my travels I've run across many customers that thought a 6 page document was enough to build an enterprise Unix/Linux/Active Directory integration and single sign-on strategy and deployment around. We even received an email from one today who said they were going to go with Samba and do the work themselves for their 400+ Unix/Linux servers. I always tell them the same thing: Give us a call when you're ready - We'll honor our quote! They always come back.

Technorati Tags:
, , , , , , , , ,

No comments: