Last week Centrify made available the mid-year release (2016.1) that comes packed with new capabilities.
Given that the PCI DSS 3.2 focuses stresses multi-factor authentication Centrify is gearing-up to help organizations that are looking to align with it this fall both with their legacy solutions (e.g. RSA SecurID) and modern methods.
Multi-factor Authentication Extended
Centrify MFA with DirectAuthorize is now extended to HP-UX, AIX and Solaris (this completes the UNIX/Linux ecosystem).
DirectAuthorize for Windows introduces MFA on Windows privilege elevation
Updated whitepaper RSA SecurID MFA integration that includes now server access and privilege elevation (instead of just PAM stacking). QA'd with RSA 7.1 on AIX (5.3, 6.1, 7.1), HP-UX 11i v2/v3, RHEL (4.8, 5.8, 6.2), SUSE 11SP2, Solaris 11 & 10. Note that this is for non-GUI login and Centrify-enhanced sudo (dzdo)
OATH OTP (e.g. Google Authenticator, Yubico Authenticator, FreeOTP, Duo, etc.) is now usable via Centrify MFA with Identity Service.
Parameter-based MFA controls for supporting Centrify Auto Zone and Classic Zones.
The adcdiag command line tool was introduced to provide pre-flight checks for MFA setup.
Enhancements to PowerShell commands for provisioning of MFA fields.
OATH OTP support opens more possibilities with Google Authenticator or YubiKey
adcdiag should provide the same value to MFA implementations as adcheck does for AD joins.
Centrify auto zone other legacy modes get multi-factor at login and can be configured via GPOs
Microsoft AD, Kerberos, Certificates and Smart Card
AD Cross-forest authentication with alternate UPN is now supported
Certificate Management and auto-enrollment now supports Elliptic Curve Algorithms.
Centrify Hierarchical Zones now support the sourcing of UNIX identity from pre-existing RFC2307 attributes. This can simplify provisioning for organizations that use those fields.
UNIX/Linux Client and Utilities Enhancements
The NIS Proxy (adnisd) now has it's own watchdog process.
Enhanced argument checking for dzdo (Centrify-enhanced sudo)
New Events documented when MFA challenges fail or succeed
Centrify-enhanced OpenSSH is now based on OpenSSH 7.2p2
OpenSSL is based on 1.0.2g
Centrify LDAP Proxy now supports TLS 1.2
libcurl is based on 7.44.0
PuTTY is upgraded to version 0.64
A new command "adcdiag" has been added to troubleshoot MFA
A new command "adobjectrefresh" has been added to only refresh specific users or groups instead of the whole cache.
Parameter and utility enhancements to support Hortonworks Hadoop Ambari 2.1.2
adobjectrefresh will be a great addition for Centrify administrators
Added Platforms
AIX 7.2
Latest version of Amazon Linux AMI (x86, x86_64)
CentOS 7.2 (x86_64)
Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
Oracle Enterprise Linux 7.2 (x86_64)
Scientific Linux 7.2 (x86_64)
openSUSE 42.1 (x86_64)
SUSE 12 SP1 (x86_64)
Scientific Linux 7.2 (x86_64)
Ubuntu 16.04 LTS (x86, x86_64)
Windows 10 (App and network rights)
Removed Platforms
Debian Linux 6
Fedora 20
HPUX 11.11, 11.23
Oracle Solaris 9
Ubuntu 14.10
OS X 10.9
Windows Client Enhancements
MFA Challenge on Applications or Desktop launches
Audit Trail Events for MFA Challenges
Mac Platform Enhancements
Simplified setup There's no need to download DirectManage components. Centrify has released a new "Mac Console" that contains the Centrify ADUC extension, GPOE and License Manager in a small (100 MB) bundle (contrast with 1.6GB for DirectManage).
If you're familiar with Identity Service and Privilege Service, they provide built-in step-up authentication like:
Centrify Mobile Authenticator
SMS
Phonefactor
E-mail
Security Question
We are going to cover
YubiKey (Smart Card) for PKI-based auth to Apps secured by CIS and secrets and sessions secured by CPS
OATH OTP (TOTP/HOTP) using YubiKey or other OATH compatible Authenticator (e.g. Google Authenticator)
Centrify uses Authentication Profiles to control what authentication mechanisms are used in different contexts:
a) Securing access to applications or the Centrify Portal (IDP initiated)
b) Securing access to UNIX & Linux systems
c) Step-up (privilege elevation) for UNIX, Linux and Windows systems
c) Provide RADIUS-based challenges for Cisco, Juniper and other VPN scenarios
d) Securing access to reverse-proxied on-prem applications made available via Privilege Service
e) Secure applications that implement Centrify APIs (e.g. Web, Mobile SDKs)
The challenges
Web Apps (on Prem or SaaS) need to be protected with strong mechanisms
Systems that provide access to secrets (like password managers) and secure session brokers also require strong authentication.
The
proliferation of "best of breed" solutions promotes IT fragmentation
and limits organizational flexibility. There's no need to have a
solution to secure servers, secure apps, provide multifactor and other
services. This promotes complexity.
Regulatory frameworks (like the upcoming PCI DSS 3.2) stress the use of Multifactor Authentication in sensitive systems.
Organizations
may have already standardized on OATH or PKI authentication and it may
be undesirable for them to adopt new mechanisms or train users.
The opportunity
Both CIS and CPS support Certificate-based authentication (Smart card) and OATH OTP
YubiKey simplifies the adoption of both mechanisms in a single form factor.
Lab Goals
Limit application users (on-prem web or SaaS) to strong authentication via Smart Card (YubiKey) or OATH OTP
Limit privileged users (of shared passwords and secure sessions) to strong authentication via Smart Card or OATH OTP
What you'll need
For All
Centrify Identity Service or Privilege Service Tenant (start a trial here) with basic knowledge an account with system administrator's rights
For the Contractor Scenario
A test user (can be from any source: AD, LDAP, Cloud Directory, Federated or Social Identity)
A YubiKey4, NANO or NEO and Yubico Authenticator (alternatively, any OATH-compatible authenticator like Google Authenticator will do fine)
For the Employee Scenario
Active Directory with Certificate Services
A Certificate provisioned for the user's smart card or YubiKey To see instructions on how to set this up, check out the Announcement Post that contains the base lab instructions.
Define an authentication profile for login that requires Smart Card or OATH OTP for login to the Centrify Portal This will cover any portal-based access (IDP initiated) or unauthenticated service-provider initiated connections
Request OATH OTP multifactor authentication to access to an application.
Employees with SmartCards
Define an authentication profile that considers users authenticated with Smart Card as strongly authenticated
Centrify Identity Service (or Privilege Service) Setup for Contractors
Sign-in to Centrify Identity Service (or privilege Service) and go to Cloud Manager > Policies. At
this point you can either create a new policy or work with a new one
tied to an specific role. I am using a Contractors role and tying it to
that role.
Navigate to Policies > Your Policy > User Security Policies > OATH OTP > Allow OATH OTP Integration: YES Show QR code for self service: [Select your appropriate setting] OATH OTP Name: [type a descriptive name]; I used Google Authenticator or YubiKey OATH OTP has been enabled, now it's time to enable it for an authentication profile.
Navigate to User Security Policies > Login Authentication - To configure the policy for login - capture the name of the effective rule (e.g. GlobalAuth High) - To configure the profile for secure app access - capture the name of the effective policy. Save the policy.
Navigate to Settings > Authentication > Authentication Profiles and identify the profiles form Step 3. For each profile: In my example, I'm using a single profile that allows for phone call and OATH OTP client, then Password.
Onboarding OATH OTP tokens for Contractors
This step can be performed in two ways:
Self-service from User Portal > Account > Actions > Set up "[OATH OTP name]"
Bulk (this is for larger deployments); from Cloud Manager > Settings > Authentication > Other > OATH Tokens Use the provided Excel template to perform a bulk import of OATH tokens.
Centrify Identity Service (or Privilege Service) Setup for Smart Card Employees
Upload your PKI trust chain to your tenant using Centrify Support
Log
in to Cloud Manager and go to Policies > [policy that applies to
employees] > User Security Polcies > Login Authentication
Edit the "Other Settings" accordingly:
Press Save
Test Matrix
Contractor can self-service enroll their OATH OTP using the user portal
Access
the Centrify Identity Service (or Privilege Service portal) requires
OATH OTP, then password (to protect the user's Password).
Access a designated application (e.g. Amazon AWS) requires OATH OTP.
Testing for Employees
Authenticate using your Smart Card or YubiKey
Attempt to access Centrify Privilege Service or Identity service URL or SP-initiated connection.
Select the Certificate in the picker.
Type the PIN for your smart card or YubiKey
Depending on how you set up your policy, Smart Card sessions can be set up to bypass additional controls.
Video: Contractor Setup
Other considerations:
When
using self-service onboarding for OATH OTP tokens, allow for a
secondary step-up (like phone call) so the user can enroll their OATH
token.
When using self-service onboarding for OATH OTP tokens,
be careful about allowing access to QR codes. Users have to be educated
that it is a sensitive operation. Centrify provides a policy to allow
this capability.
Background
This is the the second lab in the series around Strong Authentication. In the previous lab we focused on StrongAuth for Windows access and privilege elevation with YubiKey.
We
will be focusing on UNIX/Linux system access leveraging strong
authentication to Windows (or Mac) systems via smart card or YubiKey.
Centrify Server suite allows definitions of roles that only allow
non-password authentication to be enforced. YubiKeys are full-fledged
personal identity verification (PIV) cards that work very well with AD
and Certificate Services.
The challenges
Recent advanced threats leverage the collection of passwords and poor security practices to exploit systems.
The variability (heterogeneity) of systems (Windows, UNIX, Linux, Macs) poses a big challenge for organizations
The proliferation of "best of breed" solutions promotes IT fragmentation and limits organizational flexibility.
The
"jumpbox" or proxy approach combined with additional controls like
workflow can help as long as connections are centralized, however many
organizations are getting audit comments due to circunvention of these
mechanisms.
Although there are different multifactor providers
in the market and most of them provide Pluggable Authentication Modules
for their solutions, the implementation requires a high-degree of
expertise and translating the capability to hundreds or thousands of
servers with heterogeneous OSs can be quite complex.
The opportunity
Although
Centrify can accommodate the "jump box and shared account" model using
Centrify Privilege Service, organizations should complement their
security strategy with the least access model:
Users shall only access the systems they need to based on business need-to-know with strong authentication
Users
shall be limited to the minimum privileges required for their
functions: this is accomplished by providing users roles with the
rights that they need.
Rights shall be assigned and limited to
the business function with a privilege elevation mechanism (e.g. sudo)
that has the flexibility to provide strong authentication.
In sensitive systems, access and privilege elevation shall be supplemented with session capture and replay.
Active
Directory and Centrify provide a stack that can secure systems and
eliminates complexity across the different UNIX/Linux platforms
Lab Goals
Limit privileged users to a subset of UNIX/Linux systems based on their needs (AD and Centrify Zones enable this)
Require strong authentication for local or remote (SSH) access (this is enabled by Centrify DirectAuthorize)
Require strong authentication on privilege elevation if needed (OTP, SMS, E-mail, phonefactor, etc)
A domain joined member server with Centrify Server Suite 2016 (DirectControl) a
One or two UNIX/Linux systems with Centrify DirectControl and Centrify-Enhanced OpenSSH Because
we will be relying on SSO, Centrify OpenSSH comes compiled with
Centrify methods that simplify the process in simple and complex AD
environments.
For SSO to work, the system has to be resolvable by name (shortname or FQDN) by the Kerberized clients.
SSH client that supports SSO; e.g. stock PuTTY (GSSAPI) or Centrify-enhanced (Kerberos)
Access to Centrify Standard Edition (evaluation or licensed)
Scenario Description:
We
will use the Yubikey/Smart Card with the Certificate provisioned to the
user in the base lab. With Centrify Access Manager, we will create a
role that allows her to access a system (locally and via SSH) and we
will prove:
That the user can only log in to her Windows station with her Smart Card
That the user cannotsign-in to UNIX/Linux system locally or remotely (via SSH) with a password
That the user is onlyallowed to log in remotely via SSH to UNIX/Linux systems via SSO (Kerberos or GSSAPI)
That these rights can be assigned to groups of systems, or groups of users in a temporary or permanent basis
Minimal to zero configuration at the system level. Once the system is joined to AD, the security measures should just work.
Centrify Setup
In
this instance we are setting up a Web Admin role that contains the
pre-defined "login-all" PAM right. We are not breaking down the rights
to prove that we can stop the user from logging in via console or via
SSH with a password.
The privileged user assigned the role must
have authenticated with her YubiKey or SmartCard to obtain a Kerberos
TGT from Active Directory, subsequently, Centrify DirectAuthorize will
be in charge of denying access to the user if they don't use SSO for
access (via Kerberos or GSSAPI). All we're going to need is a zone and a
role.
To set up using PowerShell
Import-ModuleActiveDirectoryImport-ModuleCentrify.DirectControl.PowerShell$user = Get-ADUser-IdentityMaggie.Simpson# substitute for your test user$cont = "cn=zones,ou=unix,dc=centrify,dc=vms"# substitute for your container DN$zone = New-CdmZone-Name"Yubikey-Demo"-Container$cont$cmd1 = New-CdmCommandRight-Zone$zone-Name"Edit http config file"-Pattern"vi /etc/httpd/conf/httpd.conf"-Authenticationnone$cmd2 = New-CdmCommandRight-Zone$zone-Name"Httpd service control"-Pattern"service httpd*"$cmd3 = Get-CdmPamRight-Zone$zone-Name "login-all"
$role = New-CdmRole-Zone$zone-Name"UNIX Webadmin - StrongAuth"-UnixSysRightsssologin, nondzsh, visibleAdd-CdmCommandRight-Right$cmd1–Role$roleAdd-CdmCommandRight-Right$cmd2–Role$roleAdd-CdmPamRight-Right$cmd3–Role$roleNew-CdmUserProfile-Zone$zone–User$user–login$user.SamAccountName-UseAutoUid-AutoPrivateGroup –HomeDir"%{home}/%{user}"–Gecos"%{u:displayName}"–Shell"%{shell}"New-CdmRoleAssignment-Zone$zone-Role$role-TrusteeTypeADUser-ADTrustee$user | Out-Null
To perform the steps for the script above manually Create, Configure and Assign the Demo role
In Access Manager > Open they Yubikey-Demo zone > Authorization > Right Click Role Definitions > Select Add Role
Name: UNIX WebAdmin - StrongAuth System Rights: - Non-password (SSO) login is allowed (checked) - Login with non-Restricted shell (checked)
Create two UNIX commands. Since this will be our "Web Admin" we'll allow the role to manipulate the httpd daemon and edit the config file for the Apache server. The commands are: Glob expression vi /etc/httpd/conf/httpd.conf from the standard user path /usr/bin no reauthentication required. Glob expression service httpd* from the standard user system path /usr/sbin no reauthentication required.
Add the rights to the role. Right click the "UNIX WebAdmin - StrongAuth" role and select "Add Right"
The role is ready to be assigned. Now press OK and right-click the Authorization > Role Assignments > Select Assign Role
Press the Add AD account > type the name of your test user, select it and press OK. Note: This is a permanent direct assignment to a user principal at the zone level. This is not the best practice, typically you grant role assignments temporarily (for attestation), in a subset of systems and to AD groups for better administration.
Install DirectControl and join the system to the Centrify Zone
Use your preferred software distribution method to copy the Centrify software In my case I already have a local repo for RHEL and derivatives. (Read how to set up here)
Log in to your UNIX/Linux system and use your favorite package manager to install Centrify DirectControl and Centrify-enhanced OpenSSH
Now Join the Centrify zone and you'll be ready for testing. Use the adjoin command and an authorized user:
$ sudo adjoin -z Yubikey-Demo -c "ou=servers,ou=unix" -u dwirth centrify.vms
[sudo] password for centrifying:
dwirth@CENTRIFY.VMS's password:
Using domain controller: dc.centrify.vms writable=true
Join to domain:centrify.vms, zone:Yubikey-Demo successful
Centrify DirectControl started.
[truncated]
If your system was not resolvable by Windows DNS, you can use the addns command to register automatically with dynamic updates (if your DNS zone allows):
$ sudo /usr/sbin/addns --update --machine
Updating both HOST and PTR record for: centos67.centrify.vms
Deleting old reverse lookup records for centos67.centrify.vms on 192.168.81.10.
No old reverse records deleted because no host records found for centos67.centrify.vms on 192.168.81.10.
Verify that your users are correctly UNIX-enabled and with the expected rights (use adquery user and dzinfo)
$ adquery user maggie.simpson
maggie.simpson:x:1040191002:1040191002:Maggie Simpson:/home/maggie.simpson:/bin/bash
$ sudo dzinfo maggie.simpson --roles
User: maggie.simpson
Forced into restricted environment: No
Centrify Cloud Authentication: Supported
Role Name Avail Restricted Env
--------------- ----- --------------
UNIX Webadmin - Yes None
StrongAuth/Yubi
key-Demo
Effective rights:
Non password login
Allow normal shell
Visible
Centrify Cloud Authentication:
Not Required
Audit level:
AuditIfPossible
Always permit login:
false
All set on the Centrify side.
Configure your Test user for Smart Card Authentication
In ADUC, find and double-click the test user.
Account Tab > Account Options > Check the box for "Smart Card is required for interactive logon"
Press OK. You are ready to start testing.
Test Plan:
Try to access the system with any other AD user than test user - expected result: Access Denied This is because users need to be explicitly be granted access a UNIX identity and a Centrify role in the zone for the computer.
login as: dwirth
-----------------------------------------------------------------
CENTRIFY DEMO -
-----------------------------------------------------------------
WARNING: This is a PRIVATE system exclusively for Centrify demos
Your actions will be monitored and recorded.
-----------------------------------------------------------------
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Try to access the system with your test user (Maggie) with her password (Console or SSH) - expected result: Access Denied This is because the test user was defined with "Smart card required for interactive logon"
login as: maggie.simpson
-----------------------------------------------------------------
CENTRIFY DEMO -
-----------------------------------------------------------------
WARNING: This is a PRIVATE system exclusively for Centrify demos
Your actions will be monitored and recorded.
-----------------------------------------------------------------
Using keyboard-interactive authentication.
Demo Password:
Using keyboard-interactive authentication.
Account cannot be accessed at this time.
Please contact your system administrator.
Log in to Windows system (you are forced to smartcard login) - Launch PuTTY (configured for SSO) Expected result: Access Granted
Video Other Considerations:
When forcing strong authentication, you must have a plan for other shared non-human accounts. This is where Centrify Privilege Service shines.
Don't underestimate the need for good process around the lifecycle of PKI and smart cards. PKI is serious business.
