One of the nice things of S/Key is that it still leaves you the option
to use regular UNIX passwords. In fact, the presence of S/Key support
is completely invisible for a user until she has set up a password with
the keyinit command. You can permit regular UNIX passwords for local
logins, while at the same time insisting on S/Key passwords for logins
from outside.
ORIGIN
These files are modified versions of the s/key files found on
thumper.bellcore.com at 21 oct 1993. They have been fixed to
run on top of SunOS 4.1.3 and Solaris 2.3.
Installation is described at the end of this file.
USAGE
Use the keyinit command to set up a new series of s/key passwords.
wzv_6% keyinit
Updating wietse:
Old key: wz173500
Reminder - Only use this method if you are direct connected.
If you are using telnet or dial-in exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID wietse s/key is 99 wz173501
BLAH BLA BLAH BLAH BLAH BLA
Be sure to make your secret password sufficiently long. Try using a
full sentence instead of just one single word.
You will have to do a "keyinit" on every system that you want to login
on using one-time passwords.
Whenever you log into an s/key protected system you will see
something like:
login: wietse
s/key 98 wz173501
Password:
In this case you can either enter your regular UNIX password or
your one-time s/key password. For example, I open a local window
to compute the password:
local% key 98 wz173501
Reminder - Do not use key while logged in via telnet or rlogin.
Enter secret password:
BLAH BLA BLAH BLAH BLAH BLA
The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password.
If you have to type the one-time password in by hand, it is convenient
to have echo turned on so that you can correct typing errors. Just type
a newline at the "Password:" prompt:
login: wietse
s/key 98 wz173501
Password: (turning echo on)
Password:BLAH BLA BLAH BLAH BLAH BLA
The 98 in the challenge will be 97 the next time, and so on. You'll get
a warning when you are about to run out of s/key passwords, so that you
will have to run the keyinit command again.
Sometimes it is more practical to carry a piece of paper with a small
series of one-time passwords. You can generate the list with:
% key -n 10 98 wz173501
98: BLAH BLA BLAH BLAH BLAH BLA
97: ...
96: ...
Be careful when printing material like this!
INSTALLATION
To install, do: make sunos4 (or whatever), then: make install.
The UNIX password is always permitted with non-network logins. By
default, UNIX passwords are always permitted (the Bellcore code by
default disallows UNIX passwords but I think that is too painful). In
order to permit UNIX passwords only with logins from specific networks,
create a file /etc/skey.access. For example,
# First word says if UNIX passwords are to be permitted or denied.
# remainder of the rule is a networknumber and mask. A rule matches a
# host if any of its addresses satisfies:
#
# network = (address & mask)
#
#what network mask
permit 131.155.210.0 255.255.255.0
deny 0.0.0.0 0.0.0.0
This particular example will permit UNIX passwords with logins from any
host on network 131.155.210, but will insist on one-time passwords in
all other cases.