You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

125 lines
4.1 KiB

<style type="text/css">
p {
margin-right:10em;
}
pre {
margin-left: 2em;
margin-right: 30em;
background-color: #ddd; padding: 10px;
color: green;
}
</style>
<h2>Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals</h2>
<hr>
<p><font color="brown">Note: skey(1) is currently only enabled for ssh(1) sessions on SDF.
It also appears to only work with MD4 hashes.</font></p>
<h3>Concept:</h3>
<p>By creating a set of one-time use pass-phrases, the <b>skey(1)</b>
utility lets users securely login remotely at insecure terminals without
exposing their real password.</p>
<h3>Precautions:</h3>
<p>Once logged in, its important for security reasons that the user
NOT type his/her real password during the session.</p>
<h3>Creating your skeys:</h3>
<p>Your skeys are created via the 'skeyinit' command. There are some
options available (see 'man skeyinit') but the defaults work just
fine. Typing 'skeyinit' starts the process. You'll be prompted for
your real password, so its important that you be securely logged in
via ssh or similar. After you enter your password you're prompted
for a skey-specific password (alphanumeric; 10+digits) which you'll
need to enter twice. Things went correctly if you get something
like this:</p>
<pre>
member@sdf: {4} skeyinit
Password:
[Adding member]
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet
or rlogin, exit with no password and use skeyinit -s.
Enter secret password:
Again secret password:
ID member skey is otp-md4 99 sdf65974
Next login password: AGEE HOE HANK TAR MAY AID
member@sdf: {5}
</pre>
<p>Aside from your secret skey password, the important bit of
information here is the ID: in this example member's unique skey ID is
sdf65974, there are 99 pass-phrases available (default), and they are
encrypted using MD4.</p>
<p>As you can see, the first pass-phrase is provided. However, the
default settings produce 99 pass-phrases, some or all(!) which you
can display for printing purposes. To display the next six
pass-phrases in the above example, we type 'skey -n 6 99 sdf65974'
and reenter the secret password:</p>
<pre>
member@sdf: {10} skey -n 6 99 sdf66315
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
94: HURT PO WAS COLT TEET ALGA
95: OBEY MONK BOP GELD ELY ALL
96: DUCK AIM BEND TENT FORK OAT
97: ANA ITCH TOOL THAN CAM GIN
98: LEAR STAG BELT BABY FEW WAY
99: TOW CUE WELL REP GRIT MINI
</pre>
<p>Incidentally, the pass-phrases get used starting at 99 and can be
entered in upper or lower case (the spaces must be included
however). To see what our next skey pass-phrase number is we type
'skeyinfo':</p>
<pre>
member@sdf: {11} skeyinfo
Your next otp-md4 98 sdf66315
</pre>
<p>This means I need to use pass-phrase #98 next time I want to login with
an skey pass-phrase. To make obtaining the next pass-phrase easier, create
an alias:</p>
<pre>
(for ksh shell; other shells work differently)
% alias skey-next='skey -n 1 $(skeyinfo | cut -d " " -f 4-)'
% skey-next
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
LEAR STAG BELT BABY FEW WAY
</pre>
<h3>Deleting Skeys:</h3>
<p>To delete your skeys type 'skeyinit -z' and enter your real
password (do it via ssh session!). To verify deletion type
'skeyinfo':</p>
<pre>
member@sdf: {2} skeyinit -z
Password:
member@sdf: {3} skeyinfo
You have no s/key
</pre>
<h3>Logging in:</h3>
<p>To connect via ssh or sftp use your usual login name and you next
skey pass-phrase (lowercase is fine; keep the spaces). Generally, the
password prompt will provide some visual indication that you can enter
an skey pass-phrase:</p>
<pre>
% ssh member@sdf.org
otp-md4 98 sdf66315
S/Key Password:
</pre>
<p>On some systems and/or skey implementations you must first enter the
login "skey", then your regular login name, then the skey pass-phrase.</p>
<h3>References:</h3>
<ul>
<li>man pages for skey, skeyinit, and skeyinfo</li>
<li>Internet search phrase "using skeys"</li>
</ul>
<br>
<cite>$Id: skey_tutorial.html,v 1.5 2012/06/03 15:10:45 jgw Exp $</cite>