NetBSD/usr.bin/skey/skey.1

.\"	$NetBSD: skey.1,v 1.19 2003/02/25 10:35:54 wiz Exp $
.\"
.\"	from: @(#)skey.1	1.1 	10/28/93
.\"
.Dd July 25, 2001
.Dt SKEY 1
.Os
.Sh NAME
.Nm skey
.Nd respond to an OTP challenge
.Sh SYNOPSIS
.Nm
.Op Fl n Ar count
.Op Fl p Ar password
.Op Fl t Ar hash
.Op Fl x
.Ar sequence#
.Op /
.Ar key
.Sh DESCRIPTION
.Em S/Key
is a One Time Password (OTP) authentication system.
It is intended to be used when the communication channel between
a user and host is not secure (e.g. not encrypted or hardwired).
Since each password is used only once, even if it is "seen" by a
hostile third party, it cannot be used again to gain access to the host.
.Pp
.Em S/Key
uses 64 bits of information, transformed by the
.Tn MD4
algorithm into 6 English words.
The user supplies the words to authenticate himself to programs like
.Xr login 1
or
.Xr ftpd 8 .
.Pp
Example use of the
.Em S/Key
program
.Nm :
.Bd -literal -offset indent
% skey  99  th91334
Enter password: \*[Lt]your secret password is entered here\*[Gt]
OMEN US HORN OMIT BACK AHOY
%
.Ed
.Pp
The string that is given back by
.Nm
can then be used to log into a system.
.Pp
The programs that are part of the
.Em S/Key
system are:
.Bl -tag -width skeyauditxxx
.It Xr skeyinit 1
used to setup your
.Em S/Key .
.It Nm
used to get the one time password(s).
.It Xr skeyinfo 1
used to initialize the
.Em S/Key
database for the specified user.
It also tells the user what the next challenge will be.
.It Xr skeyaudit 1
used to inform users that they will soon have to rerun
.Xr skeyinit 1 .
.El
.Pp
When you run
.Xr skeyinit 1
you inform the system of your
secret password.
Running
.Nm
then generates the
one-time password(s), after requiring your secret password.
If however, you misspell your secret password that you have given to
.Xr skeyinit 1
while running
.Xr skey 1
you will get a list of passwords
that will not work, and no indication about the problem.
.Pp
Password sequence numbers count backward from 99.
You can enter the passwords using small letters, even though
.Xr skey 1
prints them capitalized.
.Pp
The
.Fl n Ar count
argument asks for
.Ar count
password sequences to be printed out ending with the requested
sequence number.
.Pp
The hash algorithm is selected using the
.Fl t Ar hash
option, possible choices here are md4, md5 or sha1.
.Pp
The
.Fl p Ar password
allows the user to specify the
.Em S/Key
password on the command line.
.Pp
To output the S/Key list in hexadecimal instead of words,
use the
.Fl x
option.
.Sh EXAMPLES
Initialize generation of one time passwords:
.Bd -literal -offset indent
host% skeyinit
Password: \*[Lt]normal login password\*[Gt]
[Adding username]
Enter secret password: \*[Lt]new secret password\*[Gt]
Again secret password: \*[Lt]new secret password again\*[Gt]
ID username s/key is 99 host12345
Next login password: SOME SIX WORDS THAT WERE COMPUTED
.Ed
.Pp
Produce a list of one time passwords to take with to a conference:
.Bd -literal -offset indent
host% skey -n 3 99 host12345
Enter secret password: \*[Lt]secret password as used with skeyinit\*[Gt]
97: NOSE FOOT RUSH FEAR GREY JUST
98: YAWN LEO DEED BIND WACK BRAE
99: SOME SIX WORDS THAT WERE COMPUTED
.Ed
.Pp
Logging in to a host where
.Nm
is installed:
.Bd -literal -offset indent
host% telnet host

login: \*[Lt]username\*[Gt]
Password [s/key 97 host12345]:
.Ed
.Pp
Note that the user can use either his/her
.Em S/Key
password at the prompt but also the normal one unless the
.Fl s
flag is given to
.Xr login 1 .
.Sh SEE ALSO
.Xr login 1 ,
.Xr skeyaudit 1 ,
.Xr skeyinfo 1 ,
.Xr skeyinit 1 ,
.Xr ftpd 8
.Pp
.Em RFC2289
.Sh TRADEMARKS AND PATENTS
.Em S/Key
is a trademark of
.Tn Bellcore .
.Sh AUTHORS
Phil Karn,
Neil M. Haller,
John S. Walden,
Scott Chasin