Table of Contents
Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals
Note: skey(1) is currently only enabled for ssh(1) sessions on SDF. It also appears to only work with MD4 hashes.
Concept:
By creating a set of one-time use pass-phrases, the skey(1) utility lets users securely login remotely at insecure terminals without exposing their real password.
Precautions:
Once logged in, its important for security reasons that the user NOT type his/her real password during the session.
Creating your skeys:
Your skeys are created via the 'skeyinit' command. There are some options available (see 'man skeyinit') but the defaults work just fine. Typing 'skeyinit' starts the process. You'll be prompted for your real password, so its important that you be securely logged in via ssh or similar. After you enter your password you're prompted for a skey-specific password (alphanumeric; 10+digits) which you'll need to enter twice. Things went correctly if you get something like this:
member@sdf: {4} skeyinit Password: [Adding member] Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, exit with no password and use skeyinit -s. Enter secret password: Again secret password: ID member skey is otp-md4 99 sdf65974 Next login password: AGEE HOE HANK TAR MAY AID member@sdf: {5}
Aside from your secret skey password, the important bit of information here is the ID: in this example member's unique skey ID is sdf65974, there are 99 pass-phrases available (default), and they are encrypted using MD4.
As you can see, the first pass-phrase is provided. However, the default settings produce 99 pass-phrases, some or all(!) which you can display for printing purposes. To display the next six pass-phrases in the above example, we type 'skey -n 6 99 sdf65974' and reenter the secret password:
member@sdf: {10} skey -n 6 99 sdf66315 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: 94: HURT PO WAS COLT TEET ALGA 95: OBEY MONK BOP GELD ELY ALL 96: DUCK AIM BEND TENT FORK OAT 97: ANA ITCH TOOL THAN CAM GIN 98: LEAR STAG BELT BABY FEW WAY 99: TOW CUE WELL REP GRIT MINI
Incidentally, the pass-phrases get used starting at 99 and can be entered in upper or lower case (the spaces must be included however). To see what our next skey pass-phrase number is we type 'skeyinfo':
member@sdf: {11} skeyinfo Your next otp-md4 98 sdf66315
This means I need to use pass-phrase #98 next time I want to login with an skey pass-phrase. To make obtaining the next pass-phrase easier, create an alias:
(for ksh shell; other shells work differently) % alias skey-next='skey -n 1 $(skeyinfo | cut -d " " -f 4-)' % skey-next Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: LEAR STAG BELT BABY FEW WAY
Deleting Skeys:
To delete your skeys type 'skeyinit -z' and enter your real password (do it via ssh session!). To verify deletion type 'skeyinfo':
member@sdf: {2} skeyinit -z Password: member@sdf: {3} skeyinfo You have no s/key
Logging in:
To connect via ssh or sftp use your usual login name and you next skey pass-phrase (lowercase is fine; keep the spaces). Generally, the password prompt will provide some visual indication that you can enter an skey pass-phrase:
% ssh member@sdf.org otp-md4 98 sdf66315 S/Key Password:
On some systems and/or skey implementations you must first enter the login “skey”, then your regular login name, then the skey pass-phrase.
References:
- man pages for skey, skeyinit, and skeyinfo
- Internet search phrase “using skeys”
$Id: skey_tutorial.html,v 1.5 2012/06/03 15:10:45 jgw Exp $ Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals - traditional link (using RCS)