Using Skeys for Logging in over Insecure Protocols

author: Jeff Woodall (jgw)

Concept:

By creating a set of one-time use pass-phrases, the skey utility lets users securely login remotely via insecure protocols such as telnet, rlogin, and ftp without exposing their real password.

Precautions:

Once logged in, its important for security reasons that the user NOT type his/her real password during the session.

Creating your skeys:

Your skeys are created via the 'skeyinit' command. There are some options available (see 'man skeyinit') but the defaults work just fine. Typing 'skeyinit' starts the process. You'll be prompted for your real password, so its important that you be securely logged in via ssh or similar. After you enter your password you're prompted for a skey-specific password (alphanumeric; 10+digits) which you'll need to enter twice. Things went correctly if you get something like this:

  beaker@otaku: {4} skeyinit
  Password:
  [Adding beaker]
  Reminder - Only use this method if you are directly connected
             or have an encrypted channel. If you are using telnet
             or rlogin, exit with no password and use skeyinit -s.

  Enter secret password:
  Again secret password:

  ID beaker skey is otp-md4 99 otak65974
  Next login password: AGEE HOE HANK TAR MAY AID

  beaker@otaku: {5}

Aside from your secret skey password, the important bit of information here is the ID: in this example my unique skey ID is otak65974, I have 99 pass-phrases available (default) and they are encrypted using MD4.

As you can see, the first pass-phrase is provided. However, the default settings produce 99 pass-phrases, some or all(!) which you can display for printing purposes. To display the next six pass-phrases in the above example, we type 'skey -n 6 99 otak65974' and reenter the secret password:

  beaker@otaku: {10} skey 99 otak66315
  Reminder - Do not use this program while logged in via telnet or rlogin.
  Enter secret password:
   94: HURT PO WAS COLT TEET ALGA
   95: OBEY MONK BOP GELD ELY ALL
   96: DUCK AIM BEND TENT FORK OAT
   97: ANA ITCH TOOL THAN CAM GIN
   98: LEAR STAG BELT BABY FEW WAY
   99: TOW CUE WELL REP GRIT MINI

Incidentally, the pass-phrases get used starting at 99 and can be entered in upper or lower case (the spaces must be included however). To see what our next skey pass-phrase number is we type 'skeyinfo':

beaker@otaku: {11} skeyinfo
Your next otp-md4 98 otak66315

This means I need to use pass-phrase #98 next time I want to login with an skey pass-phrase.

Deleting Skeys:

To delete your skeys type 'skeyinit -z' and enter your real password (do it via ssh session!). To verify deletion type 'skeyinfo':

beaker@otaku: {2} skeyinit -z
Password:
beaker@otaku: {3} skeyinfo
You have no s/key

Logging in:

To connect via telnet or ftp use your usual login name and you next skey pass-phrase (lowercase is fine; keep the spaces). On some system and/or skey implementations you must first enter the login “skey”, then your regular login name, then the skey pass-phrase.

References:

  • man pages for skey, skeyinit, and skeyinfo
  • internet search phrase “using skeys”

$Id: skey_tutorial.html,v 1.3 2006/03/29 17:47:59 beaker Exp $