CONTENTS This directory provides the following programs and manual pages: key The one-time password generating command keyinit Sets up a sequence of one-time passwords keyinfo Shows your S/Key sequence number and seed key.1 Documents the key command keyinfo.1 Documents the keyinfo command keyinit.1 Documents the keyinit command skeyaccess.5 Documents the /etc/skey.access format Things that are not installed in public directories but that may be useful anyway: winkey Run s/key tool in its own window so you won't by mistake run the key command in a remote session. skeyaccess Test the /etc/skey.access file keyprint Print 100 passwords on a credit card By default, the sources use the MD4 hash function. In order to build a version based on MD5, build with -DMD5 (see Makefile). INTRODUCTION One of the nice things of S/Key is that it still leaves you the option to use regular UNIX passwords. In fact, the presence of S/Key support can be completely invisible for a user until she has set up a password with the keyinit command. You can permit regular UNIX passwords for local logins, while at the same time insisting on S/Key passwords for logins from outside or for logins into specific accounts. ORIGIN These files are modified versions of the s/key files found on thumper.bellcore.com at 21 oct 1993. They have been fixed to run on SunOS 4.1.3, Solaris 2.3, Ultrix 4.3 and 44BSD. The original files are still present, with a "-" tacked onto their name. The MD4 and MD5 source code was taken from the NRL S/Key distribution on thumper on Sept 21 1994. This version is byte-order independent. Installation is described at the end of this file. USAGE Use the keyinit command to set up a new series of s/key passwords. wzv_6% keyinit Updating wietse: Old key: wz173500 Reminder - Only use this method if you are direct connected. If you are using telnet or dial-in exit with no password and use keyinit -s. Enter secret password: [not displayed] Again secret password: [not displayed] ID wietse s/key is 99 wz173501 BLAH BLA BLAH BLAH BLAH BLA Be sure to make your secret password sufficiently long. Try using a full sentence instead of just one single word. You will have to do a "keyinit" on every system that you want to login on using one-time passwords. Whenever you log into an s/key protected system you will see something like: login: wietse s/key 98 wz173501 Password: In this case you can either enter your regular UNIX password or your one-time s/key password. For example, I open a local window to compute the password: local% key 98 wz173501 Reminder - Do not use key while logged in via telnet or rlogin. Enter secret password: [not displayed] BLAH BLA BLAH BLAH BLAH BLA The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password. If you have to type the one-time password in by hand, it is convenient to have echo turned on so that you can correct typing errors. Just type a newline at the "Password:" prompt: login: wietse s/key 98 wz173501 Password: (turning echo on) Password:BLAH BLA BLAH BLAH BLAH BLA The 98 in the challenge will be 97 the next time, and so on. You'll get a warning when you are about to run out of s/key passwords, so that you will have to run the keyinit command again. Sometimes it is more practical to carry a piece of paper with a small series of one-time passwords. You can generate the list with: % key -n 10 `keyinfo` 98: BLAH BLA BLAH BLAH BLAH BLA 97: ... 96: ... That is the keyinfo command between reverse quotes. Be careful when printing material like this! INSTALLATION To install, do: make sunos4 (or whatever), then: make install. By default, UNIX passwords are always permitted (the Bellcore code by default disallows UNIX passwords but I think that is too painful). In order to permit UNIX passwords only with logins from specific networks or terminals, create a file /etc/skey.access. For example, permit port console ... other hard-wired terminals ... permit internet 131.155.210.0 255.255.255.0 deny The console rule is just a reminder. UNIX passwords are always permittted on the systems console, to save you the embarrassment of having to break into your own machine. When no rule is matched, UNIX passwords are not permitted. Thus, the deny rule at the end is not really needed, it is there as a reminder. The example above will permit UNIX passwords with console logins and with logins from any host on internet network 131.155.210, but will insist on one-time passwords only in all other cases. More details are given in the skey.access.5 manual page and in the skey.access sample file in this directory. Use the skeyaccess command to test your rule sets. Watch the syslogd output for any syntax error reports.