Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

skey(1) [netbsd man page]

SKEY(1) 						    BSD General Commands Manual 						   SKEY(1)

NAME

     skey -- respond to an OTP challenge

SYNOPSIS

     skey [-n count] [-p password] [-t hash] [-x] sequence# [/] key

DESCRIPTION

     S/Key is a One Time Password (OTP) authentication system.	It is intended to be used when the communication channel between a user and host
     is not secure (e.g. not encrypted or hardwired).  Since each password is used only once, even if it is "seen" by a hostile third party, it
     cannot be used again to gain access to the host.

     S/Key uses 64 bits of information, transformed by the MD4 algorithm into 6 English words.	The user supplies the words to authenticate him-
     self to programs like login(1) or ftpd(8).

     Example use of the S/Key program skey:

	   % skey  99  th91334
	   Enter password: <your secret password is entered here>
	   OMEN US HORN OMIT BACK AHOY
	   %

     The string that is given back by skey can then be used to log into a system.

     The programs that are part of the S/Key system are:

     skeyinit(1)   used to set up your S/Key.

     skey	   used to get the one time password(s).

     skeyinfo(1)   used to initialize the S/Key database for the specified user.  It also tells the user what the next challenge will be.

     skeyaudit(1)  used to inform users that they will soon have to rerun skeyinit(1).

     When you run skeyinit(1) you inform the system of your secret password.  Running skey then generates the one-time password(s), after requir-
     ing your secret password.	If however, you misspell your secret password that you have given to skeyinit(1) while running skey you will get a
     list of passwords that will not work, and no indication about the problem.

     Password sequence numbers count backward from 99.	You can enter the passwords using small letters, even though skey prints them capitalized.

     The -n count argument asks for count password sequences to be printed out ending with the requested sequence number.

     The hash algorithm is selected using the -t hash option, possible choices here are md4, md5 or sha1.

     The -p password allows the user to specify the S/Key password on the command line.

     To output the S/Key list in hexadecimal instead of words, use the -x option.

EXAMPLES

     Initialize generation of one time passwords:

	   host% skeyinit
	   Password: <normal login password>
	   [Adding username]
	   Enter secret password: <new secret password>
	   Again secret password: <new secret password again>
	   ID username s/key is 99 host12345
	   Next login password: SOME SIX WORDS THAT WERE COMPUTED

     Produce a list of one time passwords to take with to a conference:

	   host% skey -n 3 99 host12345
	   Enter secret password: <secret password as used with skeyinit>
	   97: NOSE FOOT RUSH FEAR GREY JUST
	   98: YAWN LEO DEED BIND WACK BRAE
	   99: SOME SIX WORDS THAT WERE COMPUTED

     Logging in to a host where skey is installed:

	   host% telnet host

	   login: <username>
	   Password [s/key 97 host12345]:

     Note that the user can use either his/her S/Key password at the prompt but also the normal one unless the -s flag is given to login(1).

SEE ALSO

     login(1), skeyaudit(1), skeyinfo(1), skeyinit(1), ftpd(8)

     RFC 2289

TRADEMARKS AND PATENTS

     S/Key is a trademark of Bellcore.

AUTHORS

     Phil Karn
     Neil M. Haller
     John S. Walden
     Scott Chasin

BSD
								   July 25, 2001							       BSD

Check Out this Related Man Page

OPIEPASSWD(1)						      General Commands Manual						     OPIEPASSWD(1)

NAME

       opiepasswd -  Change or set a user's password for the OPIE authentication system.

SYNOPSIS

       opiepasswd [-v] [-h] [-c|-d] [-f]
       [-n initial_sequence_number ] [-s seed ] [ user_name ]

DESCRIPTION

       opiepasswd will initialize the system information to allow one to use OPIE to login.  opiepasswd is downward compatible with the keyinit(1)
       program from the Bellcore S/Key Version 1 distribution.

OPTIONS

       -v     Display the version number and compile-time options, then exit.

       -h     Display a brief help message and exit.

       -c     Set console mode where the user is expected to have secure access to the system. In console mode, you will be asked  to  input  your
	      password	directly instead of having to use an OPIE calculator. If you do not have secure access to the system (i.e., you are not on
	      the system's console), you are volunteering your password to attackers by using this mode.

       -d     Disable OTP logins to the specified account.

       -f     Force opiepasswd to continue, even where it normally shouldn't. This is currently used to force opiepasswd to operate  in  "console"
	      mode even from terminals it believes to be insecure. It can also allow users to disclose their secret pass phrases to attackers. Use
	      of the -f flag may be disabled by compile-time option in your particular build of OPIE.

       -n     Manually specify the initial sequence number. The default is 499.

       -s     Specify a non-random seed. The default is to generate a "random" seed using the first two characters  of	the  host  name  and  five
	      pseudo-random digits.

EXAMPLE

       Using opiepasswd from the console:

       wintermute$ opiepasswd -c
       Updating kebe:
       Reminder - Only use this method from the console; NEVER from remote. If you
       are using telnet, xterm, or a dial-in, type ^C now or exit with no password.
       Then run opiepasswd without the -c parameter.
       Using MD5 to compute responses.
       Enter old secret pass phrase:
       Enter new secret pass phrase:
       Again new secret pass phrase:

       ID kebe OPIE key is 499 be93564
       CITE JAN GORY BELA GET ABED
       wintermute$

       Using opiepasswd from remote:

       wintermute$ opiepasswd
       Updating kebe:
       Reminder: You need the response from your OPIE calculator.
       Old secret password:
	       otp-md5 482 wi93563
	       Response: FIRM BERN THEE DUCK MANN AWAY
       New secret password:
	       otp-md5 499 wi93564
	       Response: SKY FAN BUG HUFF GUS BEAT

       ID kebe OPIE key is 499 wi93564
       SKY FAN BUG HUFF GUS BEAT
       wintermute$

FILES

       /etc/opiekeys -- database of key information for the OPIE system.

SEE ALSO

       passwd(1), opie(4), opiekey(1), opieinfo(1), opiesu(1), opielogin(1), opieftpd(8), opiekeys(5), opieaccess(5)

AUTHOR

       Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan
       McDonald, and Craig Metz.

       S/Key is a trademark of Bell Communications Research (Bellcore).

CONTACT

       OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join, send an email request to:

       skey-users-request@thumper.bellcore.com

7th Edition							 January 10, 1995						     OPIEPASSWD(1)
Man Page