惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
D
Docker
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
Security Latest
Security Latest
AI
AI
I
InfoQ
Google DeepMind News
Google DeepMind News
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Scott Helme
Scott Helme
N
News | PayPal Newsroom
Y
Y Combinator Blog
V
Visual Studio Blog
Latest news
Latest news
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
V
Vulnerabilities – Threatpost
C
Cyber Attacks, Cyber Crime and Cyber Security
TaoSecurity Blog
TaoSecurity Blog
S
Security @ Cisco Blogs
D
DataBreaches.Net
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
H
Heimdal Security Blog
美团技术团队
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security Affairs
T
Threat Research - Cisco Blogs
Webroot Blog
Webroot Blog
G
Google Developers Blog
aimingoo的专栏
aimingoo的专栏

Ubuntu blog

Tracing a memory leak bug in PID 1 and contributing an upstream fix: a Linux support story | Ubuntu MAAS installation: bare metal provisioning is easier than ever | Ubuntu Januscape vulnerability CVE-2026-53359 mitigations available | Ubuntu Managing Ubuntu on bare metal at scale Ubuntu Server: a platform made for enterprise scale | Ubuntu Building an open source chain of trust: new research uncovers key blockers and ways forward | Ubuntu Beyond safety and security: Why automotive open source demands dependability  | Ubuntu DirtyClone Linux kernel local privilege escalation vulnerability fixes available | Ubuntu pedit COW kernel local privilege escalation vulnerability mitigations | Ubuntu Canonical becomes Gold Sponsor of Trifecta Tech Foundation | Ubuntu Challenges designers face in open source (and how to fix them) | Ubuntu Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected? | Ubuntu Anbox Cloud on C4A metal: Android, at scale, without friction | Ubuntu Canonical announces live kernel patching for Arm64 | Ubuntu How to use RISC-V custom instructions with Ubuntu | Ubuntu Ubuntu Summit 26.04: connected by open source | Ubuntu So you need to add microcontrollers to your fleet: now what? | Ubuntu Validating real-world skills through Canonical Academy | Ubuntu Virtualized Android comes to Anbox Cloud | Ubuntu Template: Streamlining open source design contributions | Ubuntu Beyond Mythos: responding to a new threat landscape | Ubuntu A look into Ubuntu Core 26: Building a local AI inference appliance in a virtual machine | Ubuntu A decade of Ubuntu on IBM Z and IBM LinuxONE | Ubuntu AI at the edge: simplifying infrastructure with Cisco and Canonical | Ubuntu The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes | Ubuntu What is RDMA over Converged Ethernet (RoCE)? | Ubuntu Beyond tokens per watt – using Ubuntu 26.04 LTS for AI | Ubuntu A look into Ubuntu Core 26: Deploying AI models on Renesas RZ/V series for production | Ubuntu RISC-V profiles – why is RVA23 significant? | Ubuntu AI with AMD ROCm on Ubuntu: your questions answered | Ubuntu Ubuntu and Ubuntu Pro on Azure Cobalt 200 VMs | Ubuntu What is InfiniBand? | Ubuntu How Canonical Support solves hard Linux performance bugs  – even in 12-year old code | Ubuntu Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap | Ubuntu Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud | Ubuntu VMware hypervisor deployment using MAAS | Ubuntu Migrating from Apache Spark 3 to Spark 4 | Ubuntu Introducing Workshop: launch sandboxed development environments on Ubuntu with a single command | Ubuntu Run agentic workloads on Arm and Ubuntu | Ubuntu Decoding design: How design and engineering thrive together in open source | Ubuntu Developing web apps with local LLM inference | Ubuntu PinTheft Linux kernel vulnerability mitigation | Ubuntu Canonical announces fully Managed Kubeflow AI operations platform on the Microsoft Azure Marketplace | Ubuntu A look into Ubuntu Core 26: Cloud-powered edge computing with AWS IoT Greengrass and Azure IoT Edge | Ubuntu CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations | Ubuntu Finding the blind spot: How Canonical hunts logic flaws with AI | Ubuntu Fragnesia Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Rethinking BYOD security: protecting data without trusting devices | Ubuntu Dirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Three weeks to go: A sneak peek of the Ubuntu Summit 26.04 experience | Ubuntu How to use Ubuntu on Windows | Ubuntu Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability | Ubuntu Run NVIDIA Nemotron 3 Nano Omni locally in a single command | Ubuntu Why Web Engineering is great | Ubuntu Ubuntu 16.04 LTS has reached the end of standard Expanded Security Maintenance with Ubuntu Pro. Here are your options. | Ubuntu Understanding disaggregated GenAI model serving with llm-d | Ubuntu From Jammy to Resolute: how Ubuntu’s toolchains have evolved | Ubuntu Hybrid search and reranking: a deeper look at RAG | Ubuntu Canonical expands Ubuntu support to next-generation MediaTek Genio 520 and 720 platforms | Ubuntu Intentional leadership at Canonical | Ubuntu Ubuntu Pro comes to Nutanix bare-metal Kubernetes | Ubuntu RISC-V 101 – what is it and what does it mean for Canonical? | Ubuntu Ubuntu Summit 26.04 is coming: Save the date and share your story! | Ubuntu How to manage Ubuntu fleets using on-premises Active Directory and ADSys | Ubuntu Simplify bare metal operations for sovereign clouds | Ubuntu How to Harden Ubuntu SSH: From static keys to cloud identity | Ubuntu The “scanner report has to be green” trap | Ubuntu Canonical welcomes NVIDIA’s donation of the GPU DRA driver to CNCF | Ubuntu Hot code burns: the supply chain case for letting your containers cool before you ship | Ubuntu
Modern Linux identity management: from local auth to the cloud with Ubuntu | Ubuntu
Massimiliano Gori (Massimiliano Gori) · 2026-03-27 · via Ubuntu blog

The modern enterprise operates in a hybrid world where on-premises infrastructure coexists with cloud services, and security threats evolve daily. IT administrators are tasked with a difficult balancing act: maintaining traditional local workflows while managing the inevitable shift toward cloud-native architectures. Identity has emerged as the new security perimeter, replacing traditional network-based defenses. 

At Canonical, we have developed a comprehensive framework to make identity management across Ubuntu server and desktop deployments more secure, bridging the gap between Active Directory legacy environments and modern cloud identity providers.

In this blog, we will explore how Canonical’s framework improves the security of  authentication and access management controls by bridging the gap between traditional Active Directory environments and modern cloud identity providers.

The foundation: local authentication and its limits

Traditionally, Linux authentication mechanisms relied on credentials maintained in local /etc/passwd and /etc/shadow files. While functional for small, isolated deployments, this approach becomes unmanageable at an enterprise scale. Manual user provisioning is error-prone and time-consuming. It also creates significant security vulnerabilities, particularly when employee access rights change, or users leave the organization.

To ensure modern enterprise systems are protected, it is essential that organizations move beyond these isolated islands of identity. At a minimum, organizations should have centralized authentication for authoritative sources, ensuring consistency whether users are accessing desktops, SSHing into servers, or executing privileged commands.

Active Directory has long been the primary solution, leading many enterprises to integrate all their endpoints into expanding Forests. However, this approach is becoming less viable due to limitations with Kerberos security, the explosion in the number of connected devices, difficulties implementing Multi-Factor Authentication (MFA), and the inability to operate effectively over the public internet. While we have invested heavily in the ecosystem with ADsys, we started looking at how to bring Linux authentication to the modern era.

The cloud shift: modernizing Linux authentication with authd

For organizations embracing cloud-native identity providers (IdPs) like Microsoft Entra ID (formerly Azure Active Directory) and Google Cloud IAM, Canonical has developed authd. This solution addresses the historical barriers that prevented Linux systems from integrating seamlessly with cloud identities.

Authd operates a modular broker architecture. This design separates the core authentication functionality in the daemon from the provider-specific integration logic, allowing Ubuntu to support multiple identity providers simultaneously. A key innovation here is our implementation of the OAuth 2.0 Device Authorization Grant (RFC 8628). This flow allows users to authenticate on a separate device, such as a smartphone, which is particularly helpful for headless servers, or SSH connections where a web browser is not available.

Through Authd, you enable:

  • Multi-Factor Authentication (MFA): on both desktop and servers, leveraging the IdP’s native capabilities and security policies.
  • Offline access: credential caching allows users to authenticate even when disconnected from the internet, or the identity provider, a requirement for mobile workstations.
  • Identity broker flexibility: admins can install specific brokers (like authd-msentraid or authd-google) as snap packages.
  • Privilege management: centrally grant or revoke sudo privileges based on Identity provider group membership, without manually editing local /etc/sudoers files on individual machines.
  • Centralised auditing and governance: Ubuntu authentication events are logged alongside your SaaS applications.

The enterprise bridge: Ubuntu Pro and Active Directory System Services (ADSys)

For enterprises deeply invested in on-premises infrastructure, we provide Active Directory System Services (ADSys). ADSys fills the void left by traditional System Security Services Daemon (SSSD) implementations by serving as a fully functional Group Policy client for Ubuntu.

Available with an Ubuntu Pro subscription, ADSys allows administrators to manage Ubuntu fleets using the same tools and workflows established for Windows. By installing administrative templates on Domain Controllers, you can enforce policies natively through the Group Policy Management Console.

Key technical benefits of ADSys include:

  • Native Group Policy Object (GPO) support: we map Windows GPOs directly to Ubuntu settings, applying computer policies at boot and user policies at login.
  • Privilege management: administrators can grant or revoke sudo privileges to Active Directory users and groups centrally, without modifying local /etc/sudoers files on individual machines.
  • Automated script execution: we support scheduling scripts to execute at system startup, shutdown, login, or logout, enabling automated remediation of configuration drift.
  • Dconf management: administrators can lock down desktop settings, such as forcing screen lock timeouts or setting specific wallpaper configurations.
  • AppArmor profiles management: we allow the enforcement of custom AppArmor profiles on clients to restrict application capabilities system-wide.
  • Certificate auto-enrollment: the certificate policy manager allows clients to enroll for certificates from Active Directory Certificate Services (AD CS). Certificates are then continuously monitored and refreshed by the certmonger daemon.

Conclusion

Identity management is the foundational security control for modern enterprise Ubuntu deployments. Whether your infrastructure relies on the robust, established hierarchies of Active Directory, or the agile, decentralized nature of the cloud, we provide the tools to improve its security.

In our newly released whitepaper we provide actionable blueprints and technical specifications to architect, define, and enforce robust identity management controls across your entire server and desktop fleet, regardless of operating system.

 We provide a technical examination of modern identity paradigms, including detailed configurations for managing access to cloud and on-premise Linux infrastructure, and practical strategies for seamless and secure integration with legacy AD Domain Services. Furthermore, the paper offers a detailed analysis of the advantages and implementation steps for using SSH certificates for frictionless, auditable SSH authentication, moving beyond simple key management.

Further reading