173 lines
3.8 KiB
Groff
173 lines
3.8 KiB
Groff
.\" $NetBSD: skey.1,v 1.14 2000/09/14 19:18:24 mjl Exp $
|
|
.\"
|
|
.\" from: @(#)skey.1 1.1 10/28/93
|
|
.\"
|
|
.Dd 7 June 2000
|
|
.Dt SKEY 1
|
|
.Os
|
|
.Sh NAME
|
|
.Nm skey
|
|
.Nd respond to an OTP challenge
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl f
|
|
.Op Fl n Ar count
|
|
.Op Fl p Ar password
|
|
.Op Fl t Ar hash
|
|
.Op Fl x
|
|
.Ar sequence#
|
|
.Op /
|
|
.Ar key
|
|
.Sh DESCRIPTION
|
|
.Em S/Key
|
|
is a One Time Password (OTP) authentication system.
|
|
It is intended to be used when the communication channel between
|
|
a user and host is not secure (e.g. not encrypted or hardwired).
|
|
Since each password is used only once, even if it is "seen" by a
|
|
hostile third party, it cannot be used again to gain access to the host.
|
|
.Pp
|
|
.Em S/Key
|
|
uses 64 bits of information, transformed by the
|
|
.Tn MD4
|
|
algorithm into 6 English words.
|
|
The user supplies the words to authenticate himself to programs like
|
|
.Xr login 1
|
|
or
|
|
.Xr ftpd 8 .
|
|
.Pp
|
|
Example use of the
|
|
.Em S/Key
|
|
program
|
|
.Nm "" :
|
|
.Bd -literal -offset indent
|
|
% skey 99 th91334
|
|
Enter password: <your secret password is entered here>
|
|
OMEN US HORN OMIT BACK AHOY
|
|
%
|
|
.Ed
|
|
.Pp
|
|
The string that is given back by
|
|
.Nm
|
|
can then be used to log into a system.
|
|
.Pp
|
|
The programs that are part of the
|
|
.Em S/Key
|
|
system are:
|
|
.Bl -tag -width skeyaudit...
|
|
.It Xr skeyinit 1
|
|
used to setup your
|
|
.Em S/Key .
|
|
.It Nm
|
|
used to get the one time password(s).
|
|
.It Xr skeyinfo 1
|
|
used to initialize the
|
|
.Em S/Key
|
|
database for the specified user.
|
|
It also tells the user what the next challenge will be.
|
|
.It Xr skeyaudit 1
|
|
used to inform users that they will soon have to rerun
|
|
.Xr skeyinit 1 .
|
|
.El
|
|
.Pp
|
|
When you run
|
|
.Xr skeyinit 1
|
|
you inform the system of your
|
|
secret password.
|
|
Running
|
|
.Nm
|
|
then generates the
|
|
one-time password(s), after requiring your secret password.
|
|
If however, you misspell your secret password that you have given to
|
|
.Xr skeyinit 1
|
|
while running
|
|
.Xr skey 1
|
|
you will get a list of passwords
|
|
that will not work, and no indication about the problem.
|
|
.Pp
|
|
Password sequence numbers count backward from 99.
|
|
You can enter the passwords using small letters, even though
|
|
.Xr skey 1
|
|
prints them capitalized.
|
|
.Pp
|
|
The
|
|
.Fl n Ar count
|
|
argument asks for
|
|
.Ar count
|
|
password sequences to be printed out ending with the requested
|
|
sequence number.
|
|
.Pp
|
|
The hash algorithm is selected using the
|
|
.Fl t Ar hash
|
|
option, possible choices here are md4, md5 or sha1.
|
|
.Pp
|
|
The
|
|
.Fl p Ar password
|
|
allows the user to specify the
|
|
.Em S/Key
|
|
password on the command line.
|
|
.Pp
|
|
To output the S/Key list in hexadecimal instead of words,
|
|
use the
|
|
.Fl x
|
|
option.
|
|
.Pp
|
|
The
|
|
.Fl f
|
|
option can be used to override the
|
|
strict length checking for passwords. Do not use this option until you have
|
|
very good reason to do so, as shorter passwords violate RFC2289.
|
|
.Sh EXAMPLE
|
|
Initialize generation of one time passwords:
|
|
.Bd -literal -offset indent
|
|
host% skeyinit
|
|
Password: <normal login password>
|
|
[Adding username]
|
|
Enter secret password: <new secret password>
|
|
Again secret password: <new secret password again>
|
|
ID username s/key is 99 host12345
|
|
Next login password: SOME SIX WORDS THAT WERE COMPUTED
|
|
.Ed
|
|
.Pp
|
|
Produce a list of one time passwords to take with to a conference:
|
|
.Bd -literal -offset indent
|
|
host% skey -n 3 99 host12345
|
|
Enter secret password: <secret password as used with skeyinit>
|
|
97: NOSE FOOT RUSH FEAR GREY JUST
|
|
98: YAWN LEO DEED BIND WACK BRAE
|
|
99: SOME SIX WORDS THAT WERE COMPUTED
|
|
.Ed
|
|
.Pp
|
|
Logging in to a host where
|
|
.Nm
|
|
is installed:
|
|
.Bd -literal -offset indent
|
|
host% telnet host
|
|
|
|
login: <username>
|
|
Password [s/key 97 host12345]:
|
|
.Ed
|
|
.Pp
|
|
Note that the user can use either his/her
|
|
.Em S/Key
|
|
password at the prompt but also the normal one unless the
|
|
.Fl s
|
|
flag is given to
|
|
.Xr login 1 .
|
|
.Sh SEE ALSO
|
|
.Xr skeyaudit 1 ,
|
|
.Xr skeyinfo 1 ,
|
|
.Xr skeyinit 1 ,
|
|
.Xr login 1 ,
|
|
.Xr ftpd 8
|
|
.Pp
|
|
.Em RFC2289
|
|
.Sh TRADEMARKS AND PATENTS
|
|
.Em S/Key
|
|
is a trademark of
|
|
.Tn Bellcore .
|
|
.Sh AUTHORS
|
|
Phil Karn,
|
|
Neil M. Haller,
|
|
John S. Walden,
|
|
Scott Chasin
|