User Tools

Site Tools


using_skey_one-time_pass-phrases_for_logging_in_at_insecure_terminals

Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals


Note: skey(1) is currently only enabled for ssh(1) sessions on SDF. It also appears to only work with MD4 hashes.

Concept:

By creating a set of one-time use pass-phrases, the skey(1) utility lets users securely login remotely at insecure terminals without exposing their real password.

Precautions:

Once logged in, its important for security reasons that the user NOT type his/her real password during the session.

Creating your skeys:

Your skeys are created via the 'skeyinit' command. There are some options available (see 'man skeyinit') but the defaults work just fine. Typing 'skeyinit' starts the process. You'll be prompted for your real password, so its important that you be securely logged in via ssh or similar. After you enter your password you're prompted for a skey-specific password (alphanumeric; 10+digits) which you'll need to enter twice. Things went correctly if you get something like this:

member@sdf: {4} skeyinit
Password:
[Adding member]
Reminder - Only use this method if you are directly connected
           or have an encrypted channel. If you are using telnet
           or rlogin, exit with no password and use skeyinit -s.

Enter secret password:
Again secret password:

ID member skey is otp-md4 99 sdf65974
Next login password: AGEE HOE HANK TAR MAY AID

member@sdf: {5}

Aside from your secret skey password, the important bit of information here is the ID: in this example member's unique skey ID is sdf65974, there are 99 pass-phrases available (default), and they are encrypted using MD4.

As you can see, the first pass-phrase is provided. However, the default settings produce 99 pass-phrases, some or all(!) which you can display for printing purposes. To display the next six pass-phrases in the above example, we type 'skey -n 6 99 sdf65974' and reenter the secret password:

member@sdf: {10} skey -n 6 99 sdf66315
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
 94: HURT PO WAS COLT TEET ALGA
 95: OBEY MONK BOP GELD ELY ALL
 96: DUCK AIM BEND TENT FORK OAT
 97: ANA ITCH TOOL THAN CAM GIN
 98: LEAR STAG BELT BABY FEW WAY
 99: TOW CUE WELL REP GRIT MINI

Incidentally, the pass-phrases get used starting at 99 and can be entered in upper or lower case (the spaces must be included however). To see what our next skey pass-phrase number is we type 'skeyinfo':

member@sdf: {11} skeyinfo
Your next otp-md4 98 sdf66315

This means I need to use pass-phrase #98 next time I want to login with an skey pass-phrase. To make obtaining the next pass-phrase easier, create an alias:

(for ksh shell; other shells work differently)

% alias skey-next='skey -n 1 $(skeyinfo | cut -d " " -f 4-)'
% skey-next
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
LEAR STAG BELT BABY FEW WAY

Deleting Skeys:

To delete your skeys type 'skeyinit -z' and enter your real password (do it via ssh session!). To verify deletion type 'skeyinfo':

member@sdf: {2} skeyinit -z
Password:
member@sdf: {3} skeyinfo
You have no s/key

Logging in:

To connect via ssh or sftp use your usual login name and you next skey pass-phrase (lowercase is fine; keep the spaces). Generally, the password prompt will provide some visual indication that you can enter an skey pass-phrase:

% ssh member@sdf.org
otp-md4 98 sdf66315
S/Key Password:

On some systems and/or skey implementations you must first enter the login “skey”, then your regular login name, then the skey pass-phrase.

References:

  • man pages for skey, skeyinit, and skeyinfo
  • Internet search phrase “using skeys”

$Id: skey_tutorial.html,v 1.5 2012/06/03 15:10:45 jgw Exp $ Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals - traditional link (using RCS)

using_skey_one-time_pass-phrases_for_logging_in_at_insecure_terminals.txt · Last modified: 2021/03/22 06:00 by hc9