Only one time
Whenever you read something about security, there is a repeated suggestion that you use multi-factor authentication at best with a one time password (OTP) . I activated this wherever possible. But how to protect your Solaris systems. In case you have access to the SRUs of Solaris 11.3 there is a pretty simple way to use OTP in addition to you regular password.
At first: Ensure that the device that is generating the code and the system on which you want to use the code have a common time base. It’s a time based mechanism and so both systems should have the same time.
When following this tutorial please look at the username at the beginning of the lines in order to know if you have to execute this as root or as a normal user.
At first switch to OpenSSH:
Now you have to install the OTP package. Please note: This is only available in recent SRU. So with the release version of solaris 11.3 you can’t configure it this way.
Okay, now we start to configure the OTP part. As the user you want to login, use the following command.
You enter the TOTP secret into your OTP program. I’m using the Google Authenticator for this. On the first page just press on the plus sign at the top. You get to the following page.
After you have hit the “tick mark” at the top, you get to the main page. In order to ensure that you’ve entered the correct secret, it expect one of the OTPs the tool is creating before completing
Enter the number that the app is showing to you:
Okay, now we have to configure PAM to use OTP. Just create a file for this:
There is an older article “Requiring both Public Key (or GSSAPI/Kerberos) and OTP for OpenSSH” from Darren Moffat (from which my entry is obviously derived) explaining different combinations of factors.