Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: August 2019
 
 

How to Set a Secret Key for a OTP User

Before You Begin

You have completed How to Configure OTP.

You must become an administrator with the OTP Auth Manage All Users rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. (Optional) Determine if the defaults are sufficient for your site policy.
    $ otpadm get
                    mode=timer
               algorithm=hmac-sha1
                  digits=6
                    ...
  2. Create a secret key for the user.
    $ pfexec otpadm -u username -f [base32 | hex] set attributes secret

    For example, use the default OTP attributes:

    $ pfexec otpadm -u jdoe set secret

    For example, require a longer OTP:

    $ pfexec otpadm -u jdoe set digits=8 secret

    For example, set counter mode:

    $ pfexec otpadm -u jdoe set mode=counter secret

    By default, the OTP secret is displayed in Base32 format. Most authenticators accept this format, but some expect hexadecimal format. To change the format for the OTP secret, see Example 6, Setting and Displaying a Hexadecimal Secret Key.

  3. Get the secret key to the user.
    • Send the secret to users out of band.
      1. Display the secret.
        $ pfexec otpadm -u username get secret
        CBA6 5JBR M73T XGZK CNAB 36HG QLE5 PFCR
      2. Send it over a secure channel, such as encrypted email.
    • Instruct the user to log in, display the secret key, and type it into their mobile authenticator app.
      username $ otpadm get secret
      CBA6 5JBR M73T XGZK CNAB 36HG QLE5 PFCR
Example 7  Setting and Getting a Secret Key From a File

In this example, the administrator generates a generic key, places it in a protected location. After protecting the file, the administrator assigns the secret to the user from the file, then notifies the user of the file location.

  1. Generate the key.

    $ pktool genkey keystore=file outkey=/homedir/jdoe/secret keylen=160 keytype=generic print=y
            Key Value ="a231400f466039818507238e1b549740726aa61a"

    The print=y option displays the key in hexadecimal format, but the number in the secret file is not in hexadecimal form. The otpadm set secret will use this input to create a secret key for the user.

  2. Assign the secret file to the user.

    $ otpadm -u jdoe set secret=/homedir/jdoe/secret
  3. (Optional) Display the user's secret key.

    $ otpadm -u jdoe get secret=/homedir/jdoe/secret
    EB8D D111 D555 ...