Go to main content

Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.3

Exit Print View

Updated: May 2019
 
 

How to Configure and Confirm the Secret Key for Your OTP

Before You Begin

You are the owner of a mobile device that connects to the Internet, and your administrator has completed How to Configure OTP.

  1. Download a mobile authenticator app to your device and open the application.

    Search for Authenticator in your app store. See Exploring Oracle Mobile Authenticator and Its Applications for more information.

  2. On the login server, create a secret key.
    $ otpadm set secret
    XXXX nnnn XXXX XXXX nnnn nnnn nnnn XXXX
    Enter current code from authenticator: nnnnnnnn

    The server displays the secret and prompts for a code from the mobile application.

  3. Type the displayed secret into the mobile authenticator.

    For example, on the Oracle Mobile Authenticator screen, press the plus (+) button in the upper right corner of the screen, choose "Enter provided key", pick a name for the account (username@login-server), and type the secret key under "Key".

  4. Generate a code on the mobile application and type it into the otpadm prompt.

    After the otpadm prompt accepts a valid code from the authenticator, OTP is configured and ready to use.

  5. Test the OTP.

    After the administrator completes How to Require a UNIX Password and a OTP to Log In to an Oracle Solaris System, log in to the server. You should be prompted first for your server login, then for the OTP. After you type the OTP, you should be logged in.

Example 12  Users Changing to a Longer OTP and a Stronger Algorithm

The administrator notifies OTP users to change to a SHA2 algorithm and an 8-digit password.

  1. By email, the administrator instructs them to follow the new guidelines.

    Users, 
    We are changing the mobile authenticator to use a longer password and 
    a stronger algorithm.  Please complete the changeover by Friday.
    On the server, open a terminal window and issue the following commands:
    otpadm set algorithm=hmac-sha256 digits=8 secret
    Respond to the prompts and instructions.  
    If you have difficulty, notify the administrator.
  2. In their mobile authenticator app, users select the hmac-sha256 algorithm and set digits to 8.

  3. On the login server, each user runs the commands from the email.

    $ otpadm set algorithm=hmac-sha256 digits=8 secret
    1234 abcd 1234 abcd 1234 1234 1234 abcd
    Enter current code from authenticator: nnnnnnnn
  4. Each user types the secret into their mobile authenticator app.

  5. After the user generates a code on the app and types it at the login server prompt, the app and the server are synchronized and configuration is complete.

Example 13  Setting and Displaying a Hexadecimal Secret Key

Users own a mobile authenticator that prompts for a secret in hexadecimal format. They create a secret key that displays in hexadecimal format.

$ otpadm -f hex set secret
	7DDF B236 7023 82A6 F70F 0001 C8B7 F0BE A76C 3F31

Troubleshooting

If the OTP password fails, wait and try the second OTP that displays.

If the login server does not accept the OTP, verify with the administrator that the clocks on the mobile device and the server are synchronized.

If the times on the login server and the mobile authenticator do not synchronize, you and your administrator could configure a counter-based OTP rather than a time-based OTP. See Example 15, Using a Counter Rather Than a Timer for OTP Authentication.