S/key is a procedure for using one time passwords to authenticate access to computer systems. It uses 64 bits of information transformed by the
skey-11.1994: description + notes
MD4algorithm. The user supplies the 64 bits in the form of six English words that are generated by a secure computer. E.g. a pocket sized smart card or a PC/Macintosh, or a machine at work and printed on a sheet of paper. This six-word phrase is then used to answer a specific S/Key challenge. Example use of the S/key program key:>key 99 th91334 Enter password:
OMEN US HORN OMIT BACK AHOY >
Skey authentication is often used for internet logins, where passwords are transmitted via insecure means. Because skey uses one-time passwords the threat from passive attacks (snooping the network) is reduced.
By default this package only installs the tools used to access an skey-protected system. If you wish to install S/Key authentication on a server you will need to take some additional steps:
fw_skey.src.skeyand convince yourself that the privileged code is safe.
- Install the non-default
fw_skey.man.skey_server) subsystems in this package. If having them suid still makes you uncomfortable you can create a special
skeygroup, change keyinit and keyauth to be sgid (mode 2755) instead of suid, create
/etc/skeykeyswith mode 664, and finally "
chgrp skey" on all three.
/etc/default/loginto specify keyauth as your
SITECHECKprogram. Note that sitecheck programs must be executable, owned by
root, and not writable by anyone else.
- Optionally create
/etc/skey.accessto specify which networks are permitted to login using regular password authentication.
- Setup local procedures to ensure that all users with login access to the protected machine have s/key passwords. (You may wish to replace keyinit with a script the does rsh to the server, and distribute that script to other machines.)
Note: this package is based on the original Bellcore version 1 source from 1994.
OPIEis a more recent replacement for S/Key.
To auto-install this package, go back and click on the respective install icon.