skey-11.1994: description + notes

S/key is a procedure for using one time passwords to authenticate access to computer systems. It uses 64 bits of information transformed by the MD4 algorithm. The user supplies the 64 bits in the form of six English words that are generated by a secure computer. E.g. a pocket sized smart card or a PC/Macintosh, or a machine at work and printed on a sheet of paper. This six-word phrase is then used to answer a specific S/Key challenge. Example use of the S/key program key:
   >key 99 th91334
   Enter password: 

Skey authentication is often used for internet logins, where passwords are transmitted via insecure means. Because skey uses one-time passwords the threat from passive attacks (snooping the network) is reduced.

By default this package only installs the tools used to access an skey-protected system. If you wish to install S/Key authentication on a server you will need to take some additional steps:

  1. Install fw_skey.src.skey and convince yourself that the privileged code is safe.
  2. Install the non-default fw_skey.sw.skey_server (and subsystems in this package. If having them suid still makes you uncomfortable you can create a special skey group, change keyinit and keyauth to be sgid (mode 2755) instead of suid, create /etc/skeykeys with mode 664, and finally "chgrp skey" on all three.
  3. Edit /etc/default/login to specify keyauth as your SITECHECK program. Note that sitecheck programs must be executable, owned by root, and not writable by anyone else.
  4. Optionally create /etc/skey.access to specify which networks are permitted to login using regular password authentication.
  5. Setup local procedures to ensure that all users with login access to the protected machine have s/key passwords. (You may wish to replace keyinit with a script the does rsh to the server, and distribute that script to other machines.)

Note: this package is based on the original Bellcore version 1 source from 1994. OPIE is a more recent replacement for S/Key.

To auto-install this package, go back and click on the respective install icon.