Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: August 2019
 
 

How to Require a UNIX Password and a OTP to Log In to an Oracle Solaris System Over Secure Shell

Before You Begin

You have completed How to Configure OTP.

You must assume the root role to complete the steps in this task. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Ensure that the user has typed and confirmed the secret key in their mobile authenticator app.
  2. Install the openssh package, set the authentication methods, and enable the openssh service.
    1. Install the openssh package.

      Then set openssh as the Secure Shell provider and verify it.

      # pkg install network/openssh
      # pkg set-mediator -I openssh ssh
      # pkg mediator ssh
      MEDIATOR   VER. SRC.   VERSION   IMPL. SRC.   IMPLEMENTATION
      ssh        system                local        openssh
    2. Set the authentication methods for Secure Shell to password and keyboard-interactive.
      # pfedit /etc/ssh/sshd_config
      ...
      # Prompt user for password and OTP
      AuthenticationMethods password,keyboard-interactive
    3. Enable the Secure Shell service and verify that it is online.
      # svcadm disable ssh; svcadm enable ssh; sleep 10; svcs -x ssh
      svc:/network/ssh:default (SSH server)
       State: online since Wed Jun 14 14:14:14 2017
         See: sshd(8)
         See: /var/svc/log/network-ssh:default.log
      Impact: None.
  3. Create the sshd-kbdint PAM policy.
    # pfedit /etc/pam.d/sshd-kbdint
    ## Keyboard-interactive SSH requires OTP
    auth requisite          pam_authtok_get.so.1
    auth binding            pam_unix_auth.so.1 server_policy
    auth required           pam_unix_cred.so.1
    auth required           pam_otp_auth.so.1
  4. Instruct the OTP users to test their logins.

    The users should be prompted first for their regular login password, then for the OTP. The following shows sample debug output.

    jdoe~$ ssh -v jdoe@192.0.2.4
    [...]
    debug1: Authentications that can continue: password
    debug1: Next authentication method: password
    jdoe@192.0.2.4's password:  xxxxxxxx
    Authenticated with partial success.
    debug1: Authentications that can continue: keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    OTP code: 927836
    debug1: Authentication succeeded (keyboard-interactive).
    [...]
    Last login: Wed Jun  14 14:24:24 2017 from 192.0.2.2
    Oracle Corporation      SunOS 5.11      11.3    March 2017
    jdoe@192.0.2.4:~$