Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

About OTP in Oracle Solaris

OTP provides a second proof of identity when logging in to Oracle Solaris. The use of a second proof of identity is called two-factor authentication (2FA). The system first prompts you for your UNIX password, then for the OTP from your mobile authenticator app. After you the system verifies these two authentications, it logs you in. For more information, see About Two-Factor Authentication.

OTP in Oracle Solaris conforms to the specifications for HMAC-based and time-based OTPs in HOTP: An HMAC-Based One-Time Password Algorithm, RFC 4226 and TOTP: Time-Based One-Time Password Algorithm, RFC 6238, so should be able to work with any authenticator that conforms to these specifications.

    Oracle Solaris delivers OTP in the system/security/otp IPS package. The solaris-small-server, solaris-large-server, and solaris-desktop groups deliver this package, which contains the following items:

  • OTP PAM module – pam_otp_auth implements OTP. When pam_otp_auth is a module in a login PAM stack, users must provide an OTP. For more information, see the pam_otp_auth(7) man page.

  • OTP PAM policy configuration files – otp and otp_strict are two per-user PAM configuration files that the OTP package provides.

  • OTP administrative command – otpadm is the command you use to configure OTP authentication for users. Users can manage their own keys with this command. For more information, see the otpadm(8) man page.

  • OTP rights profile – OTP Auth Manage All Users rights profile enables administrators to administer OTP through the otpadm command.

To assign OTP to individual users, administrators use the –K pam_policy=otp option to the useradd or usermod command. For the procedures, see Configuring and Using OTP in Oracle Solaris.