Before You Begin
You have completed How to Configure OTP.
You must assume the root role to complete the steps in this task. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
You and the user have finished the following tasks:
Then set openssh as the Secure Shell provider and verify it.
# pkg install network/openssh # pkg set-mediator -I openssh ssh # pkg mediator ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh system local openssh
# pfedit /etc/ssh/sshd_config ... # Prompt user for password and OTP AuthenticationMethods password,keyboard-interactive
# svcadm disable ssh; svcadm enable ssh; sleep 10; svcs -x ssh svc:/network/ssh:default (SSH server) State: online since Wed Jun 14 14:14:14 2017 See: sshd(8) See: /var/svc/log/network-ssh:default.log Impact: None.
# pfedit /etc/pam.d/sshd-kbdint ## Keyboard-interactive SSH requires OTP auth requisite pam_authtok_get.so.1 auth binding pam_unix_auth.so.1 server_policy auth required pam_unix_cred.so.1 auth required pam_otp_auth.so.1
The users should be prompted first for their regular login password, then for the OTP. The following shows sample debug output.
jdoe~$ ssh -v firstname.lastname@example.org [...] debug1: Authentications that can continue: password debug1: Next authentication method: password email@example.com's password: xxxxxxxx Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive OTP code: 927836 debug1: Authentication succeeded (keyboard-interactive). [...] Last login: Wed Jun 14 14:24:24 2017 from 192.0.2.2 Oracle Corporation SunOS 5.11 11.3 March 2017 firstname.lastname@example.org:~$