This blog comments on a variety of technology news, trends, and products and how they connect. I'm in Red Hat's cloud product strategy group in my day job although I cover a broader set of topics here. This is a personal blog; the opinions are mine alone.
Ellen Newlands and Dmitri Pal handle product management and engineering respectively for Red Hat Identity management. In this podcast they discuss cross-realm trust, a new feature in Red Hat Enterprise Linux 7.0 (currently in beta), which centralizes identity and makes integrating identity management from Linux with Active Directory and managing it much easier than it has been in the past. We also cover some of the work that Red Hat is doing around one-time passwords.
We're going to be starting to talk about some of the new features coming
down the road in RHEL 7, Red Hat Enterprise Linux 7, that's scheduled to ship
later this year. Today, we're going to talk about one of the new security features
in RHEL 7, namely, cross‑realm trust.
get a high level view to start off. Ellen, why don't you explain what it is and
why people care about it?
Newlands: Microsoft’s Active Directory is installed in many, many of
our customers' accounts. In addition, of course, customers also are using Red
Hat Enterprise Linux.
of the things that we will be shipping in the latest version of RHEL, which
will be RHEL 7, is the ability to easily integrate identity management from
Linux with Active Directory, something that centralizes identity and makes the
management of those identities much easier than it has been in the past.
Dmitri, could you tell us at a reasonably high level what this cross‑realm
Pal: Cross‑realm trust is the capability of the identities from one
domain to access systems and resources in another domain. So instead of systems
having to be directly connected to the Active Directory as they have been in
the past, we can have a central server that would manage those systems while
enabling users to come from Active Directory and access those systems and
access the resources provided by those systems, for example, NFS and things
From the point‑of‑view of a system admin, how is what they can do with
cross‑realm trust simplified or different from how they would do things today?
Today, with the solutions that are available, Linux systems are usually
joined directly into an Active Directory domain. That means that they need to
be managed through the Active Directory tools or found by the tools related to
or integrated with the Active Directory.
some cases, that's the preferred method, but that requires the protocols that
are driven from Active Directory. Linux systems have their native needs in terms
of POSIX attributes, the SELinux capabilities, the sudo capabilities. Linux
systems are really not exactly the same as Windows systems, so turning Linux
systems into Active Directory directly requires a lot of remapping things.
had a solution for managing Linux systems, but it was isolated. The idea is to
provide the best‑of‑breed services for the Linux systems on one hand, and to
enable the users from Active Directory to access those systems on the other
hand. It's the best‑of‑breed of both worlds.
This is really a way of essentially federating identities.
Yes, but using domain‑to‑domain. It's federation on the Kerberos level.
It's domain federation rather than other ways of federating like SAML or
OpenID. This is on a lower level, on the infrastructure level rather than on
the application level.
Is there a particular audience for this type of approach versus other
approaches? In other words, who's been asking us to do this?
The main consumer is the part of the organization which is responsible
for the infrastructure, for maybe cloud services or storage services, the
things that provide the fabric required for the enterprise to do their
business. The applications can be on the top of that, consuming the cloud or
the big data that is running on top of this infrastructure.
having a set of the systems that constitute the infrastructure as a part of
Linux and joined into the Active Directory through the trusts is that domain
Ellen, what have you been hearing in terms of demand for this?
One of the things that I find quite interesting is we are now in the high‑touch
beta phase for RHEL 7. A number of the customers who have shown a great deal of
interest in this particular capability, the cross‑realm trust, are in banking,
telecommunications, retail, healthcare, and public sector.
we find is that these are accounts where Active Directory may be what we call
the authoritative source for compliance.
there's a large infrastructure component for Linux that also wants to be
involved in the higher levels of compliance but managed with the Linux
capabilities. As Dmitri explained, there are certain native Linux capabilities,
like automate and sudo, et cetera, that this enables that area of the
corporation to maintain while still falling under the corporate architecture
where maybe Active Directory is the authoritative source.
seen a lot of interest from generally very large customers who have a complex
or heterogeneous environment.
That's pretty common these days.
Yes it is. It seems like very, very few customers have only one vendor or
one operating system Linux is very often in a division or the development group
or whatever in a wider context.
I want to add one important factor of the cross‑realm Kerberos trust.
That kind of a deployment allows great integration from whatever solution the
enterprise has at the moment to the future vision and the future architecture.
By deploying identity management in Red Hat Enterprise Linux that comes with
Red Hat Enterprise Linux 7.0, you can establish this trusted domain and then
gradually move your systems into that domain.
of the important things is that you don't need to move to the latest versions
of Linux. You can serve with this solution both the latest the version, the
7.0, and the latest version of RHEL 6. You also can integrate earlier Red Hat
Enterprise Linux versions as well as non‑Linux systems.
This highlights what the analysts are telling us. What we see is an idea
that IT is increasingly hybrid, and that solutions that force homogeneity are
increasingly uninteresting, nonviable even, at customers.
That's absolutely true. Increasingly, it's a heterogeneous world.
Increasingly, also, the corporate boundaries are somewhat porous. The ability
to move in and out of vendors' various environments is very valuable,
especially when we offer centralized management. It takes less time, less work
and is easier to manage and, to some extent, update.
I would be remiss and some of my friends would disown me if I didn't
mention that Red Hat Summit is coming up mid‑April in San Francisco. For
listeners who are interesting in this sort of thing, there are going to be a
lot of great sessions around identity management at Red Hat Summit.
Yes, indeed. Dmitri will be doing demonstrations not only of the new
cross‑realm trust coming out in RHEL 7. One of the other features that I think
is interesting is, we've done some work in what we call OTP, which is one‑time
would you like to explain a little bit about why that would be of value?
We have been working on the one‑time password technologies and
integrating them directly into the identity management solution for quite some
time. It's not going to be available in Red Hat Enterprise Linux 7.0, but it is
in a stage of development that is ready for us to talk about that.
coming down the road. It's pretty solid technology right now. We will
demonstrate it in the booth at the conference.
main value is that you can authenticate with two‑factor authentication, like a
token fob that you have or a token that you have on your smartphone, and then
acquire, as a result of this authentication, Kerberos trust, that would allow
your enterprise single sign‑on between different services within your
the past, there has been no solution that allowed you to do that in an
integrated fashion. There has always been a password hidden somewhere. You
authenticate with two factors. With that you unlock a password, and then that
password is played against Active Directory or LDAP or any kind of
identity management in Red Hat Enterprise Linux, we are building it in such a
way that it is single stack. That's pretty powerful. There is a lot of
potential in this technology going forward.
By the way, I think everybody in your listening audience will know that
two‑factor authentication increases your security.
Thank you for your time today. Anything else either of you would like to
Come to the conference, join us in the booth, and join us at the talks
that we'll have during the course of the summit. There will be some labs, also,
dedicated to identity management. See you there. Thank you.
Looking forward to seeing you at summit. Thank you.
I'm in the cloud product strategy group at Red Hat. Prior to Red Hat, I wrote hundreds of research notes, was frequently quoted in publications like The New York Times on a wide range of IT topics, and advised clients on product and marketing strategies. Earlier in my career, I was responsible for bringing a wide range of computer systems, from minicomputers to large UNIX servers, to market while at Data General. Among other hobbies, I do a lot of photography and enjoy the outdoors.