Modern Linux identity management: from local auth to the cloud with Ubuntu

The modern enterprise operates in a hybrid world where on-premises infrastructure coexists with cloud services, and security threats evolve daily. IT administrators are tasked with a difficult balancing act: maintaining traditional local workflows while managing the inevitable shift toward cloud-native architectures. Identity has emerged as the new security perimeter, replacing traditional network-based defenses. 

At Canonical, we have developed a comprehensive framework to make identity management across Ubuntu server and desktop deployments more secure, bridging the gap between Active Directory legacy environments and modern cloud identity providers.

In this blog, we will explore how Canonical’s framework improves the security of  authentication and access management controls by bridging the gap between traditional Active Directory environments and modern cloud identity providers.

The foundation: local authentication and its limits

Traditionally, Linux authentication mechanisms relied on credentials maintained in local /etc/passwd and /etc/shadow files. While functional for small, isolated deployments, this approach becomes unmanageable at an enterprise scale. Manual user provisioning is error-prone and time-consuming. It also creates significant security vulnerabilities, particularly when employee access rights change, or users leave the organization.

To ensure modern enterprise systems are protected, it is essential that organizations move beyond these isolated islands of identity. At a minimum, organizations should have centralized authentication for authoritative sources, ensuring consistency whether users are accessing desktops, SSHing into servers, or executing privileged commands.

Active Directory has long been the primary solution, leading many enterprises to integrate all their endpoints into expanding Forests. However, this approach is becoming less viable due to limitations with Kerberos security, the explosion in the number of connected devices, difficulties implementing Multi-Factor Authentication (MFA), and the inability to operate effectively over the public internet. While we have invested heavily in the ecosystem with ADsys, we started looking at how to bring Linux authentication to the modern era.

The cloud shift: modernizing Linux authentication with authd

For organizations embracing cloud-native identity providers (IdPs) like Microsoft Entra ID (formerly Azure Active Directory) and Google Cloud IAM, Canonical has developed authd. This solution addresses the historical barriers that prevented Linux systems from integrating seamlessly with cloud identities.

Authd operates a modular broker architecture. This design separates the core authentication functionality in the daemon from the provider-specific integration logic, allowing Ubuntu to support multiple identity providers simultaneously. A key innovation here is our implementation of the OAuth 2.0 Device Authorization Grant (RFC 8628). This flow allows users to authenticate on a separate device, such as a smartphone, which is particularly helpful for headless servers, or SSH connections where a web browser is not available.

Through Authd, you enable:

• Multi-Factor Authentication (MFA): on both desktop and servers, leveraging the IdP’s native capabilities and security policies.
• Offline access: credential caching allows users to authenticate even when disconnected from the internet, or the identity provider, a requirement for mobile workstations.
• Identity broker flexibility: admins can install specific brokers (like authd-msentraid or authd-google) as snap packages.
• Privilege management: centrally grant or revoke sudo privileges based on Identity provider group membership, without manually editing local /etc/sudoers files on individual machines.
• Centralised auditing and governance: Ubuntu authentication events are logged alongside your SaaS applications.

The enterprise bridge: Ubuntu Pro and Active Directory System Services (ADSys)

For enterprises deeply invested in on-premises infrastructure, we provide Active Directory System Services (ADSys). ADSys fills the void left by traditional System Security Services Daemon (SSSD) implementations by serving as a fully functional Group Policy client for Ubuntu.

Available with an Ubuntu Pro subscription, ADSys allows administrators to manage Ubuntu fleets using the same tools and workflows established for Windows. By installing administrative templates on Domain Controllers, you can enforce policies natively through the Group Policy Management Console.

Key technical benefits of ADSys include:

• Native Group Policy Object (GPO) support: we map Windows GPOs directly to Ubuntu settings, applying computer policies at boot and user policies at login.
• Privilege management: administrators can grant or revoke sudo privileges to Active Directory users and groups centrally, without modifying local /etc/sudoers files on individual machines.
• Automated script execution: we support scheduling scripts to execute at system startup, shutdown, login, or logout, enabling automated remediation of configuration drift.
• Dconf management: administrators can lock down desktop settings, such as forcing screen lock timeouts or setting specific wallpaper configurations.
• AppArmor profiles management: we allow the enforcement of custom AppArmor profiles on clients to restrict application capabilities system-wide.
• Certificate auto-enrollment: the certificate policy manager allows clients to enroll for certificates from Active Directory Certificate Services (AD CS). Certificates are then continuously monitored and refreshed by the certmonger daemon.

Conclusion

Identity management is the foundational security control for modern enterprise Ubuntu deployments. Whether your infrastructure relies on the robust, established hierarchies of Active Directory, or the agile, decentralized nature of the cloud, we provide the tools to improve its security.

In our newly released whitepaper we provide actionable blueprints and technical specifications to architect, define, and enforce robust identity management controls across your entire server and desktop fleet, regardless of operating system.

 We provide a technical examination of modern identity paradigms, including detailed configurations for managing access to cloud and on-premise Linux infrastructure, and practical strategies for seamless and secure integration with legacy AD Domain Services. Furthermore, the paper offers a detailed analysis of the advantages and implementation steps for using SSH certificates for frictionless, auditable SSH authentication, moving beyond simple key management.

Want to learn more about enterprise identity management for Ubuntu Server and Desktop?

Download the whitepaper

Further reading

• ADSys documentation
• Authd documentation
• Authd for Entra ID on Snapcraft
• Authd for Google IAM on Snapcraft
• Authd for OIDC on Snapcraft