S/KEY

Much of the following is based (or lifted outright!) from similar tutorial material at Brown University's Computer Science Department. It appears here with their permission, and has been modified for local use.

The examples and procedures appearing here may be augmented by other department-specific local documentation.

The S/KEY system, developed at Bellcore, provides a secure alternative to UNIX passwords. The security of S/KEY lies in the use of one-time passwords. These passwords can only be used for one remote login session, so capturing them does not provide an intruder a means of breaking into the system at a later time. Generation of the one-time password is based on a secret password that is chosen by the user, but this secret password never travels over the network.

Technical overview

If you plan on remote authentication via the Internet (department modem pool dialins are not affected, dialins through the University modem pool are affected), you will have to use the S/KEY system. Initially, you need to make yourself known to the S/KEY program. This is done by executing the keyinit command. 

	delta% keyinit

The keyinit program will ask you for a secret password. Unlike UNIX passwords, S/KEY secret passwords can be more than 8 characters, so it is suggested that you pick a phrase such as "I like coconuts in the summertime." Use a password that is different than your UNIX account password. Remember this password. You will need it in the future when you deal with the S/KEY program.

When you remotely login to an EECSNet machine from the Internet, rather than encountering the usual UNIX login procedure, you will be confronted with the S/KEY program challenge. There are two methods to deal with this challenge -- running the S/KEY program locally on the machine being used to do the remote login or one time password lists.

Running the S/KEY program locally

If S/KEY software exists for the type of machine that you are logging in from, you may use this software to generate the proper one-time password for a successful login. This avoids the need to take a one-time password list with you.

We have placed S/KEY clients for the Mac, Windows, and DOS in the directory /usr/local/lib/skey, accessible from any of the Suns. Documentation is available in /vol/doc/skey, as well as here.

An attempted login via telnet to delta should produce the following output: 
	telnet delta
	Trying...
	Connected to delta.eecs.nwu.edu.
	Escape character is '^]'.

	This system is for the use of authorized users only.  Individuals using
	this computer system without authority or in the excess of their authority
	are subject to having all their activities on this system monitored and
	recorded by system personnel.  In the course of monitoring individuals
	improperly using this system or in the course of system maintenance, the
	activities of authorized user may also be monitored.  Anyone using this
	system expressly consents to such monitoring and is advised that if such
	monitoring reveals possible evidence of illegal activity or violation of
	University regulations system personnel may provide the evidence of such
	monitoring to University authorities and/or law enforcement officials.



	SunOS UNIX (delta)

	login: rnp
	s/key 98 ig964000
	(s/key required)
	Password:

The line after the login name is the S/KEY challenge. This is used as input to the S/KEY program to generate the one-time password. For example, the S/KEY client for UNIX is the key program. Generating the one-time password from the key program is done as follows:

% key 98 ig964000

The program will ask you for your secret S/KEY password, and then generate a one-time password. Typing or pasting this one-time password into the telnet or ftp window should result in a successful login.

One-time password lists

With this method, you provide S/KEY with the proper sequenced password from a list of one time passwords. This list must have been generated by running the keyinfo command followed by key command on an EECSNet machine prior to the actual remote login attempt (before leaving the department!): 

 
	delta% keyinfo
	98 ig964000

	delta% key -n 3 98 ig964000
	96: BLUR EAR TOOT COLD ROLL ACME 
	97: SHE HIDE NAT MOON NASH BODY  
	98: OLIN AMES FATE MADE TOUT BUD

The result of the keyinfo command is the current S/KEYsequence number and S/KEY seed respectively. These values are then used as arguments to the key command to generate a list of one-time passwords. The -n argument to key specifies the number of one-time passwords to print out. Later, when you try to remotely log in, the sequence number should be matched with the same sequence number on the one-time password list to determine which one-time password to use.

There is a script front-end to the key program that generates a PostScript file with one hundred one-time passwords in a credit-card sized area of paper. This can be run as follows:

delta% keyprint | lpr

This will print the list to your default printer.

Troubleshooting

Q: Why doesn't my login attempt produce an S/KEY challenge?

A: Make sure you have run the keyinit program as explained above.