By creating a set of one-time use pass-phrases, the skey utility lets users securely login remotely via insecure protocols such as telnet, rlogin, and ftp without exposing their real password.
Once logged in, its important for security reasons that the user NOT type his/her real password during the session.
Your skeys are created via the 'skeyinit' command. There are some options available (see 'man skeyinit') but the defaults work just fine. Typing 'skeyinit' starts the process. You'll be prompted for your real password, so its important that you be securely logged in via ssh or similar. After you enter your password you're prompted for a skey-specific password (alphanumeric; 10+digits) which you'll need to enter twice. Things went correctly if you get something like this:
beaker@otaku: {4} skeyinit Password: [Adding beaker] Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet or rlogin, exit with no password and use skeyinit -s. Enter secret password: Again secret password: ID beaker skey is otp-md4 99 otak65974 Next login password: AGEE HOE HANK TAR MAY AID beaker@otaku: {5}
Aside from your secret skey password, the important bit of information here is the ID: in this example my unique skey ID is otak65974, I have 99 pass-phrases available (default) and they are encrypted using MD4.
As you can see, the first pass-phrase is provided. However, the default settings produce 99 pass-phrases, some or all(!) which you can display for printing purposes. To display the next six pass-phrases in the above example, we type 'skey -n 6 99 otak65974' and reenter the secret password:
beaker@otaku: {10} skey 99 otak66315 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: 94: HURT PO WAS COLT TEET ALGA 95: OBEY MONK BOP GELD ELY ALL 96: DUCK AIM BEND TENT FORK OAT 97: ANA ITCH TOOL THAN CAM GIN 98: LEAR STAG BELT BABY FEW WAY 99: TOW CUE WELL REP GRIT MINI
Incidentally, the pass-phrases get used starting at 99 and can be entered in upper or lower case (the spaces must be included however). To see what our next skey pass-phrase number is we type 'skeyinfo':
beaker@otaku: {11} skeyinfo Your next otp-md4 98 otak66315
This means I need to use pass-phrase #98 next time I want to login with an skey pass-phrase.
To delete your skeys type 'skeyinit -z' and enter your real password (do it via ssh session!). To verify deletion type 'skeyinfo':
beaker@otaku: {2} skeyinit -z Password: beaker@otaku: {3} skeyinfo You have no s/key
To connect via telnet or ftp use your usual login name and you next skey pass-phrase (lowercase is fine; keep the spaces). On some system and/or skey implementations you must first enter the login “skey”, then your regular login name, then the skey pass-phrase.
$Id: skey_tutorial.html,v 1.3 2006/03/29 17:47:59 beaker Exp $