|
Note: When you are logged on as an Active Directory user, you can access information about Active Directory users, groups and computers. (See Active Directory Configuration for details.) |
This information is protected by using your credentials to securely connect to Active Directory using the GSS/SASL security layer for the LDAP protocol. Only the information that is visible to the Active Directory account to which you are logged on is available. While some of this information may be cached on the server, it is only available to the user that originally requested it, ensuring that the access control rules for Active Directory objects are honored by the Management Console for Unix server.
The mangement console may request Active Directory credentials when you perform tasks, such as the Check for AD Readiness or when you configure the Active Directory settings for a host. In this case, the credentials are not stored on the server, but are only used for the selected task.
Secure access to the managed Unix hosts is performed using the SSH protocol. Management Console for Unix uses SSH internally to profile hosts, manage users and groups, and run Readiness Check Results reports. It also provides an SSH Java Applet console for accessing the hosts directly.
While the SSH protocol encrypts traffic and can use passwords to authenticate users, it uses public key cryptography to authenticate the server. If the server is not correctly authenticated, it is possible for an attacker to act as a 'man-in-the-middle' and obtain the user's logon and root passwords for a host. For this reason, it is important to understand how the options to manage SSH host keys affect the security of your Management Console for Unix installation.
Management Console for Unix uses SSH as the network protocol to provide secure remote access and administration of Unix hosts. It maintains a list of valid SSH host keys used to authenticate the connections.
The mangement console allows you to directly import these keys, using one of the following methods:
When you use this command you are prompted to accept the new fingerprint for the selected host.
The known_hostfile contains the host addresses and public key data for known server hosts.
|
Note: (See Known_hosts File Format for more information about the supported known_hosts file format.) |
Alternatively, when profiling a host, new SSH keys are automatically accepted for the selected host by default. However, you can clear the Automatically accept SSH keys option on the Profile Hosts dialog if you want to be prompted to validate the host's SSH key if a key is not already cached for the selected host. If you clear this option, you must accept a host's fingerprint in order to proceed with the profiling process.
|
Note: While the Automatically accept SSH keys option is enabled by default, clearing this option disables it for subsequent profiles for this user. Regardless of whether the Automatically accept SSH keys option is selected or not, when a modified key is encountered, the profile task will prompt you to accept the new changed key(s). |
You can view the SSH fingerprint and algorithm used to access a host on the Details tab of a host's properties.
|
Note: While the Management Console for Unix server automatically accepts SSH host keys by default, to avoid potential "man-in-the-middle" attacks, One Identity recommends that you either disable this option so that you can manually review and accept the key fingerprints, or directly import the keys by using one of the methods described above. This ensures that your SSH connection is secured to a trusted host before supplying your log on or root credentials. |
When importing a known_hosts file, the mangement console expects the file to be in a particular file format. The rules for a known_hosts file are:
The default location for a known_hosts file is: ${user.home}/.ssh/known_hosts
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy