Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.3

How to Require a UNIX Password and a OTP to Log In to an Oracle Solaris System

Before You Begin

You have completed How to Configure OTP.

You must become an administrator with the following rights profiles to complete the steps in this task:

• User Management rights profile – For assigning PAM policy to users

• OTP Auth Manage All Users rights profile – For managing OTP

The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Ensure that the user has typed and confirmed the secret key in their mobile authenticator app.

   You and the user have finished the following tasks:

   • How to Configure and Confirm the Secret Key for Your OTP

   • How to Set a Secret Key for a OTP User

2. As an administrator with the User Management rights profile, change the user's PAM policy to otp.

   $ pfexec usermod -K pam_policy=otp username

3. Instruct the OTP users to test their logins.

   The users should be prompted first for their regular login password, then for the OTP.

4. (Optional) To disable OTP for a user, perform two steps:
   1. As an administrator with the User Management rights profile, remove otp as the user's PAM policy.

      $ pfexec usermod -K pam_policy=  username

   2. As an administrator with the OTP Auth Manage All Users rights profile, remove the inactive OTP configuration files from the user's home directory.

      $ pfexec otpadm -u username expunge

Example 14  Enforcing the Change to a Longer OTP and a Stronger Algorithm

The authenticator app in use at a company can handle a very strong algorithm and a long password. To implement a stronger security policy, the administrator notifies OTP users to change to a SHA2 algorithm and an 8-digit password. Then, the administrator audits their change. The email and user responsibilities are shown in Example 12, Users Changing to a Longer OTP and a Stronger Algorithm.

1. After allowing time for the users to change their OTP attributes, the administrator audits every OTP user.

   $ pfexec otpadm -u username get algorithm digits
                 digits=8
              algorithm=hmac-sha256

2. If a user's configuration is different from the preceding output, the administrator sends a warning email that specifies the date that the user will be locked out.

3. On the specified date, the administrator locks out OTP users who have not changed to the new OTP configuration.

   $ pfexec usermod -e date username

Example 15  Using a Counter Rather Than a Timer for OTP Authentication

In this example, the user is using a mobile authenticator that supports counter mode. The administrator sets the OTP mode to counter when the mobile authenticator does not synchronize with the login server. To prevent using any existing codes, the administrator sets a new secret.

$ otpadm -u username set mode=counter secret
$ otpadm -u username get secret
VOCJ YHTV 2C4O DTDN R34X CGM4 YZVM JJFI

The administrator sends the secret to the user out of band. Before typing in the secret, the user sets the mobile authenticator app to use counter mode.

Troubleshooting

If the authenticator does not confirm the user's OTP, users should wait and try the second OTP that displays.

If the login server does not accept the OTP, make sure that the clocks on the mobile device and the server are synchronized.