Managing Authentication in Oracle^® Solaris 11.4

How to Require a UNIX Password and a OTP to Log In to an Oracle Solaris System Over Secure Shell

Before You Begin

You have completed How to Configure OTP.

You must assume the root role to complete the steps in this task. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

1. Ensure that the user has typed and confirmed the secret key in their mobile authenticator app.

   You and the user have finished the following tasks:

   • How to Configure and Confirm the Secret Key for Your OTP

   • How to Set a Secret Key for a OTP User

2. Install the openssh package, set the authentication methods, and enable the openssh service.
   1. Install the openssh package.

      Then set openssh as the Secure Shell provider and verify it.

      # pkg install network/openssh
      # pkg set-mediator -I openssh ssh
      # pkg mediator ssh
      MEDIATOR   VER. SRC.   VERSION   IMPL. SRC.   IMPLEMENTATION
      ssh        system                local        openssh

   2. Set the authentication methods for Secure Shell to password and keyboard-interactive.

      # pfedit /etc/ssh/sshd_config
      ...
      # Prompt user for password and OTP
      AuthenticationMethods password,keyboard-interactive

   3. Enable the Secure Shell service and verify that it is online.

      # svcadm disable ssh; svcadm enable ssh; sleep 10; svcs -x ssh
      svc:/network/ssh:default (SSH server)
       State: online since Wed Jun 14 14:14:14 2017
         See: sshd(8)
         See: /var/svc/log/network-ssh:default.log
      Impact: None.

3. Create the sshd-kbdint PAM policy.

   # pfedit /etc/pam.d/sshd-kbdint
   ## Keyboard-interactive SSH requires OTP
   auth requisite          pam_authtok_get.so.1
   auth binding            pam_unix_auth.so.1 server_policy
   auth required           pam_unix_cred.so.1
   auth required           pam_otp_auth.so.1

4. Instruct the OTP users to test their logins.

   The users should be prompted first for their regular login password, then for the OTP. The following shows sample debug output.

   jdoe~$ ssh -v jdoe@192.0.2.4
   [...]
   debug1: Authentications that can continue: password
   debug1: Next authentication method: password
   jdoe@192.0.2.4's password:  xxxxxxxx
   Authenticated with partial success.
   debug1: Authentications that can continue: keyboard-interactive
   debug1: Next authentication method: keyboard-interactive
   OTP code: 927836
   debug1: Authentication succeeded (keyboard-interactive).
   [...]
   Last login: Wed Jun  14 14:24:24 2017 from 192.0.2.2
   Oracle Corporation      SunOS 5.11      11.3    March 2017
   jdoe@192.0.2.4:~$