How do you login using an S/Key password?
Where do I get the S/Key client?
How do I reset my password on an S/Key enabled system?
What is S/Key?
Why should I use S/Key?
Who should use S/Key?
How do I install an S/Key server on a UNIX system?
server login: <your login user name> s/key 999 xy12345 (s/key required) Password: <output of the key program>
NOTE: Make sure to use MD4 as the encryption algorithm for eda.org. Most Key clients have an option. DO NOT RUN KEY on eda.org to get the response -- this defeats the whole purpose of a OTP by having you type in a clear, unencrypted private password over the network connection!
That looks good, but, how do I get the output of the key program? I haven't logged in yet!
% key 999 xy12345 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: ********* EVER KERN SKAT MOO COCA WAD <----- 6 word phrase to enter for password challenge aboveUse the local client 6 word phrase as the one time password response to the challenge on eda.org. This tells the
On PC's and Macintoshes, the program is a WYSIWYG with radio buttons and fill in forms. The concept is the same though -- you must enter the unique sequence count, the user ID assigned to you, and your secret password (only into the local program) to then get the unique 6 word response to type in to eda.org.
% key -n <x> `999 xy12345`Where x is the number of passwords you want to generate. Capture the response and print it out for future use. Each time you login, match the challenge string to the list on the print out and enter the corresponding 6 word phrase as the response to the password above.
NOTE: do not use the eda.org version of this program while telnet'ed in. It will prompt you for a password that will have to be entered over the unsecure Internet; the exact issue we are trying to avoid!
The S/Key system needs to be initialized for each user who will use S/Key passwords; or can be reinitialized by a user once logged in. This process will generate the first in a series of passwords. The S/Key server needs to learn the secret pass phrase to ensure the security of the entire scheme. The secret password can either be entered directly on the console of the server (keyinit -i option) or done remotely over the internet (keyinit -s option) using the S/Key client on your local machine. The example below is for the remote initilization that all users of eda.org should use.
On eda.org from a telnet session logged in as you:
% keyinit -s Adding <your login name> Reminder you need the 6 english words from the skey command. Enter sequence count from 1 to 9999: 9999 <return> Enter new key [default xy12345]: <return> s/key 9999 xy12345 s/key access password: <output of the key program> <return> %On your local machine using the client S/Key program (Unix client shown):
% key 9999 xy12345 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: ********* EVER KERN SKAT MOO COCA WAD <----- 6 word phrase to enter above
Use the local client 6 word phrase as the one time password response to the challenge. Note this is essentially the same as a login session. Only this time, you are training the eda.org server to know what your secret password in a secure, encrypted, one-time way!
Note: never execute the "key" client program on eda.org to generate a challenge response. You will enter your private password over the open Internet -- the exact thing we are trying to avoid!Back to the top
S/Key is a challenge/response one-time password scheme. A challenge/response system is any system where the 'response' can be computed from the 'challenge' and some secret information that only the user knows. In order to be useful, the system must be designed such that knowledge of previous challenge/response pairs is not useful in computing future pairs. S/Key was originally developed at Bell Labs in the late 80's. They have since sold the code and trademark. IEEE standardized on the concept but, due to the trademark, named it One Time Password (OTP) system. There are several variations using different encryption codes: md4, md5, and SHA.
A simple example:
Challenge (C): 789 se12343
Information user provides (private password) (P): ThisIsMyPassword
Function to compute one-time password response: C^2 + P where C is the challenge and P is the user provided private password.
One-time Password Response: ONE TOP SHAH KEY TEMP RAS
The Challenge consists of a sequence number which changes with each use (hence, one time password) and a user key or unique ID similar to a login name. The Private Password is the normal password a user might provide to login to email, a telnet account, etc. The response is either a large number represented in Hex digit format, or a clever "word" encoding of the same hex digit number.
The idea is the challenge is presented to the user. A user utilizes a local program that takes in the challenge and private password, and outputs the one-time response. This response is then cut and pasted (or typed in) to the program on the Internet providing the challenge. The encryption is near impossible to crack if a good private password is used. This prevents your clear password from being sent over the network. It does not prevent an active telnet session from being hijacked. For this, SSH with OTP is needed (which is the standard in OpenBSD releases).
An example of password cracking... taken from Dan Farmer and Wietse Venema's Admin Guide Cracking.
The authors of SATAN were contacted about a hacker who was using their computers to break into others. The hacker had a list of 656 commercial sites, of these, 24 sites had easy to steal password files. All 24 password files together resulted in 1594 password file entries. A ten minute run of Crack on a low-end Sun revealed more than 50 passwords. Another 40 passwords were found within the next 20 minutes. A root password was found in just over an hour. The final results; 5 root passwords, 255 user passwords. One in six passwords were crackable, and eighty percent of the sites had at least one crackable password.
Remember: most hackers don't directly break into the root account, more often than not they break into a user account then try to break into the root account. It is much easier to break into a user account than a root account, especially from outside the system.
The first step in using S/Key passwords is to replace all the system binaries that accept passwords with versions that accept S/Key passwords. This list of binaries includes (but may not be limited to): /bin/login, /bin/su, /usr/etc/rshd, /usr/etc/rlogind, and /usr/etc/ftpd. Additionally, the S/Key programs; key keyinit, and keyinfo are required to use S/Key.
Wietse Venema has written a package called logdaemon that has replacements for the above binaries that provide improved access control, improved logging, and S/Key support. The logdaemon software works on several UNIX platforms. See the end of this document for a list of locations were you can find logdaemon and other S/Key related software.
The next step is to create or edit the /etc/skey.access file. This file determines whether a user may use a regular UNIX password or is required to use an S/Key password. The deny keyword requires the user to use an S/Key password (denies a UNIX password). The permit keyword allows a regular UNIX password. An example file might look like this:
## /etc/skey.access file for myhost deny user root deny user username deny hostname any.host.net deny port ttya permitBack to the top
Based on original material from Steve
Ramsing's NASA GFSC home page.
Modified by REH on 10/21/99; originally published by
srr@lheamail.gsfc.nasa.gov