Only one time

Whenever you read something about security, there is a repeated suggestion that you use multi-factor authentication at best with a one time password (OTP) . I activated this wherever possible. But how to protect your Solaris systems. In case you have access to the SRUs of Solaris 11.3 there is a pretty simple way to use OTP in addition to you regular password.

At first: Ensure that the device that is generating the code and the system on which you want to use the code have a common time base. It’s a time based mechanism and so both systems should have the same time.

When following this tutorial please look at the username at the beginning of the lines in order to know if you have to execute this as root or as a normal user.

At first switch to OpenSSH:

root@nfsclient:~# pkg install network/openssh
root@nfsclient:~# pkg set-mediator -I openssh ssh
root@nfsclient:~# echo "AuthenticationMethods password,keyboard-interactive" >> /etc/ssh/sshd_config
root@nfsclient:~# svcadm disable ssh;svcadm enable ssh; sleep 10; svcs -x ssh
svc:/network/ssh:default (SSH server)
 State: online since Wed May 03 14:17:58 2017
   See: sshd(1M)
   See: /var/svc/log/network-ssh:default.log
Impact: None.


Now you have to install the OTP package. Please note: This is only available in recent SRU. So with the release version of solaris 11.3 you can’t configure it this way.

root@nfsclient:~#  pkg install otp
           Packages to install:  1
[...] 
Updating package cache                           1/1 
root@nfsclient:~# 


Okay, now we start to configure the OTP part. As the user you want to login, use the following command.

jmoekamp@nfsclient:~$ otpadm set secret
New TOTP secret=MSQF 4RYZ OXCH 4ZUI FNYX CZEN NBNJ 5HEA
Enter current code from authenticator: 


You enter the TOTP secret into your OTP program. I’m using the Google Authenticator for this. On the first page just press on the plus sign at the top. You get to the following page.



After you have hit the “tick mark” at the top, you get to the main page. In order to ensure that you’ve entered the correct secret, it expect one of the OTPs the tool is creating before completing


Enter the number that the app is showing to you:

jmoekamp@nfsclient:~$ otpadm set secret
New TOTP secret=MSQF 4RYZ OXCH 4ZUI FNYX CZEN NBNJ 5HEA
Enter current code from authenticator: 229629


Okay, now we have to configure PAM to use OTP. Just create a file for this:

root@nfsclient:~# cat <&ltEOT >> /etc/pam.d/sshd-kbdint
> auth required pam_unix_cred.so.1
> auth required pam_otp_auth.so.1
> EOT


Fetch one of your OTP to try an ssh connection

Please be fast, that passwords change over time.

On your desktop start ssh and use your password and the number just got from app.

glamdring:~ jmoekamp$ ssh -v jmoekamp@129.168.1.2
[...]
debug1: Authentications that can continue: password
debug1: Next authentication method: password
jmoekamp@192.168.1.2's password:  <strong>supersecret</strong>
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
OTP code: <strong>369249</strong>
debug1: Authentication succeeded (keyboard-interactive).
[...]
Last login: Wed May  3 14:14:26 2017 from 192.168.1.2
Oracle Corporation      SunOS 5.11      11.3    March 2017
jmoekamp@nfsclient:~$


There is an older article “Requiring both Public Key (or GSSAPI/Kerberos) and OTP for OpenSSH” from Darren Moffat (from which my entry is obviously derived) explaining different combinations of factors.