立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.0.3 - DEPRECATED YubiKey Multi-Factor Authentication - Tutorial

[question_1]

Type: integer [seconds]

Description: Used for communication between plugins. This is an interactive request/response right after authentication in order to supply data to credential store plugins. The question is transferred to the session cookie and all hooks of all plugins receive it.

For example, if you have an external authenticator app, you do not have to wait for the question to be prompted but can authenticate with a one-time password:

ssh otp=123456@root@scb

Name subsequent questions with the appropriate number, for example, [question_1], [question_2], and so on.

For details, see "Performing authentication with AA plugin in terminal connections" in the Administration Guide and "Performing authentication with AA plugin in Remote Desktop connections" in the Administration Guide.

key
Type: string
Required: yes
Default: N/A

Description: The name of the name-value pair.

prompt
Type: string
Required: yes
Default: N/A

Description: The question itself in text format.

disable_echo
Type: boolean yes|no
Required: no
Default: no

Description: Whether the answer to the question is visible (yes), or replaced with asterisks (no).

Store sensitive plugin data securely

By default, the configuration of the plugin is stored on SPS in the configuration of SPS. Make sure that you store the sensitive parameters (for example, api_key) of the plugin in an encrypted way.

To store sensitive plugin data securely

  1. Log in to SPS and create a local Credential Store. For details, see "Configuring local Credential Stores" in the Administration Guide.

    Instead of usernames and passwords, you will store the configuration parameters of the plugin in this Credential Store.

  2. Add the plugin parameters you want to store in an encrypted way to the Credential Store. You can store any configuration parameter of the plugin in the Credential Store, but note that if an option appears in the Credential Store, the plugin will use it. If the same parameter appears in the configuration of the plugin, it will be ignored.

    • Enter the name of the configuration section without the brackets in the HOST field (for example, yubikey).

    • Enter the name of the plugin parameter in the USERNAME field (for example, api_key).

    • Enter the value of the plugin parameter in the PASSWORD field.

  3. Commit your changes, and navigate to the configuration of the plugin on the Policies > AA Plugin Configurations page.

  4. In the plugin configuration file, enter the name of the local Credential Store under the [plugin] section, in the cred_store parameter.

Perform multi-factor authentication with the SPS YubiKey plugin in terminal connections

The following describes how to establish a terminal connection (SSH, TELNET, or TN3270) to a server.

To establish a terminal connection (SSH, TELNET, or TN3270) to a server

  1. Connect to the server.

    • If you can authenticate using an OTP or token, encode the OTP as part of the username. You can use the @ as a field separator. For example:

      ssh otp=YOUR-ONE-TIME-PASSWORD@user@server

      Replace YOUR-ONE-TIME-PASSWORD with your actual OTP. If needed, you can specify the type of OTP as a prefix to the OTP. For example, to specify the OTP of a YubiKey token:

      ssh otp=y_YOUR-ONE-TIME-PASSWORD@user@server
      • Google Authenticator: g

      • inWebo Authenticator: o

      • Symantec token: s

      • YubiKey: y

      • RSA token: r

    • If you need to authenticate using the YubiKey Verify push notification, approve the connection in your mobile app.

  2. If SPS prompts you for further information, enter the requested information. If you need to authenticate with an OTP, but you have not supplied the OTP in your username, you will be prompted to enter the OTP.

  3. Authenticate on the server.

  4. If authentication is successful, you can access the server.

Perform multi-factor authentication with the SPS YubiKey plugin in Remote Desktop connections

The following describes how to establish a Remote Desktop (RDP) connection to a server when the AA plugin is configured.

To establish an RDP connection to a server when the AA plugin is configured

  1. Open your Remote Desktop client application.

  2. If you have to provide additional information to authenticate on the server, you must enter this information in your Remote Desktop client application in the User name field, before the regular content (for example, your username) of the field.

    If you can authenticate using an OTP or token, encode the OTP as part of the username. To encode additional data, you can use the following special characters:

    • % as a field separator

    • ~ as the equal sign

    • ^ as a colon (for example, to specify the port number or an IPv6 IP address)

    For example, use the following format:

    domain\otp~YOUR-ONE-TIME-PASSWORD%Administrator

    Replace YOUR-ONE-TIME-PASSWORD with your actual OTP. If needed, you can specify the type of OTP as a prefix to the OTP. For example, to specify the OTP of a YubiKey token: domain\otp~y_YOUR-ONE-TIME-PASSWORD%Administrator

    • Google Authenticator: g

    • inWebo Authenticator: o

    • Symantec token: s

    • YubiKey: y

    • RSA token: r

  3. Connect to the server.

    If you need to authenticate using the YubiKey Authenticator push notification, approve the connection in your mobile app.

  4. Authenticate on the server.

  5. If authentication is successful, you can access the server.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级