Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Announcing Identity Bridge: Streamline authentication and authorization for Unix and Linux


Written by Paul Harper

August 18th, 2020

I’ve been working in the identity and access management (IAM) field for more than 20 years. Unix and Linux user management has been a challenge throughout all those years. If you have a single Unix or Linux server and a manageable number of users, there’s no issue. But no one only has one server and a manageable user count. Many organizations have hundreds or thousands of servers and hundreds or thousands of users. It’s super easy to make mistakes when managing even a small amount of users because it’s mindless work for IT admins. They often duplicate efforts and spend many hours managing separate directories.

It’s no wonder a tool to simplify, streamline, and automate management of Unix and Linux users is attractive

With so many usernames, passwords, UIDs, PGIDs, GIDs, home directories, shells, and more, it’s no wonder a tool to simplify, streamline, and automate management of Unix and Linux users is attractive. IT is forever looking for ways to remove complexity and improve security.

To learn more about challenges in user and privilege management for Unix and Linux systems, read my post “Think Differently About Unix / Linux Privilege Management.

Identity Bridge simplifies management of Unix/Linux local accounts

With Thycotic Identity Bridge, IT administrators no longer have to manage Unix/Linux local accounts separately on every host or with a home-grown user management solution.

Identity Bridge uses organizations’ existing Active Directory infrastructure to simplify account provisioning and access control by replacing local accounts with a single account housed in Active Directory. This provides centralized authentication, shrinks the attack surface, and improves security by minimizing the mistakes and oversights that come from manual or distributed management of these key IT systems.

Identity Bridge helps multiple levels of an organization:

  • IT: Admins save time managing users across the IT infrastructure and use familiar tools they already use for Windows. This helps improve identity security through true “Kerberized” authentication that leverages known and trusted Microsoft security.
  • Compliance: Passwords and password policies can be consistent across the entire infrastructure, and all access is logged to ensure compliance. It also stops zombie accounts from being left behind when a user changes roles or leaves the organization.
  • Users: End-users have a single enterprise identity to access all resources regardless of operating system, reducing password fatigue. It’s also easier to do their work without interruption because of Kerberos-enabled SSO.

Identity Bridge

Unify identities and assign consistent
privileges for Unix and Linux accounts

Old problem, new approach

When building this new product, we focused on making it easy-to-deploy, easy-to-manage, and easy-to-afford for organizations that need to simplify Unix and Linux user, group, and computer management.

IT teams will spend less time managing user access with this straightforward tool that provides flexible user & group management via a Microsoft ADUC Extension and a combined agent that offers both access and privilege control, accelerating adoption across the enterprise. Identity Bridge doesn’t rely on Windows Group Policy and doesn’t require schema extensions, which means fewer teams involved in roll-out as well as simplified configuration and management.

Our new solution utilizes an open directory architecture that allows simple plug-and-play into existing directory infrastructures, including split and hybrid combinations of different centralized directories, making it a much more flexible solution that reflects the variety of directories we see in the market. With future releases, Thycotic will expand directory support to LDAP, Azure AD, and existing and emerging federated directories.

Identity Bridge provides these core Unix/Linux user management features:

  • Join a non-Windows host (Unix/Linux) to Active Directory
  • Support true Kerberos authentication and single sign-on
  • Centralize configuration stored directly in Active Directory
  • Store user and group POSIX data directly on Active Directory User and Group objects
  • Authenticate users using their Active Directory credentials on Unix and Linux systems
  • Authenticate users using cached credentials when Active Directory is not available
  • Support Access Control defined using native Active Directory groups with user and computer accounts

What’s Coming in Thycotic Unix/Linux Privilege Management

The definition of privilege continues to expand and change. It could be easily argued that standard user accounts have some level of privilege. And of course, with Unix and Linux, there are true privileged accounts, such as root.

There’s a gap that exists in most organizations that leverage Unix or Linux systems as part of their infrastructure. Many people directly access these systems using highly privileged accounts such as root, use legacy tools such as Sudo, or third-party solutions to simply switch to a root session. All of these were created over 25 years ago. Operating systems and security needs have evolved a great deal since these tools were created and it’s difficult to properly protect these most critical systems, as well as the applications and data that run on them. In addition to Identity Bridge Unix and Linux user management functionality, we’re also working on extending Thycotic Privilege Manager to Unix and Linux.

Thycotic’s Privilege Manager will provide next-generation privilege control, delivered in the cloud and on-premise, and utilize a single interface for policy administration and control for all enterprise users and systems, regardless of operating system.

Don’t leave Unix out of
your PAM strategy

Start with the FREE Unix Privileged
Account Discovery Tool


Like this post?

Get our top blog posts delivered to your inbox once a month.