initial and only intended commit
This commit is contained in:
pifty
124
site-tutorials/skey_tutorial.html
Normal file
124
site-tutorials/skey_tutorial.html
Normal file
@@ -0,0 +1,124 @@
|
||||
<style type="text/css">
|
||||
p {
|
||||
margin-right:10em;
|
||||
}
|
||||
pre {
|
||||
margin-left: 2em;
|
||||
margin-right: 30em;
|
||||
background-color: #ddd; padding: 10px;
|
||||
color: green;
|
||||
}
|
||||
</style>
|
||||
|
||||
<h2>Using Skey One-Time Pass-phrases for Logging in at Insecure Terminals</h2>
|
||||
<hr>
|
||||
|
||||
<p><font color="brown">Note: skey(1) is currently only enabled for ssh(1) sessions on SDF.
|
||||
It also appears to only work with MD4 hashes.</font></p>
|
||||
|
||||
<h3>Concept:</h3>
|
||||
<p>By creating a set of one-time use pass-phrases, the <b>skey(1)</b>
|
||||
utility lets users securely login remotely at insecure terminals without
|
||||
exposing their real password.</p>
|
||||
|
||||
<h3>Precautions:</h3>
|
||||
<p>Once logged in, its important for security reasons that the user
|
||||
NOT type his/her real password during the session.</p>
|
||||
<h3>Creating your skeys:</h3>
|
||||
<p>Your skeys are created via the 'skeyinit' command. There are some
|
||||
options available (see 'man skeyinit') but the defaults work just
|
||||
fine. Typing 'skeyinit' starts the process. You'll be prompted for
|
||||
your real password, so its important that you be securely logged in
|
||||
via ssh or similar. After you enter your password you're prompted
|
||||
for a skey-specific password (alphanumeric; 10+digits) which you'll
|
||||
need to enter twice. Things went correctly if you get something
|
||||
like this:</p>
|
||||
<pre>
|
||||
member@sdf: {4} skeyinit
|
||||
Password:
|
||||
[Adding member]
|
||||
Reminder - Only use this method if you are directly connected
|
||||
or have an encrypted channel. If you are using telnet
|
||||
or rlogin, exit with no password and use skeyinit -s.
|
||||
|
||||
Enter secret password:
|
||||
Again secret password:
|
||||
|
||||
ID member skey is otp-md4 99 sdf65974
|
||||
Next login password: AGEE HOE HANK TAR MAY AID
|
||||
|
||||
member@sdf: {5}
|
||||
</pre>
|
||||
<p>Aside from your secret skey password, the important bit of
|
||||
information here is the ID: in this example member's unique skey ID is
|
||||
sdf65974, there are 99 pass-phrases available (default), and they are
|
||||
encrypted using MD4.</p>
|
||||
<p>As you can see, the first pass-phrase is provided. However, the
|
||||
default settings produce 99 pass-phrases, some or all(!) which you
|
||||
can display for printing purposes. To display the next six
|
||||
pass-phrases in the above example, we type 'skey -n 6 99 sdf65974'
|
||||
and reenter the secret password:</p>
|
||||
<pre>
|
||||
member@sdf: {10} skey -n 6 99 sdf66315
|
||||
Reminder - Do not use this program while logged in via telnet or rlogin.
|
||||
Enter secret password:
|
||||
94: HURT PO WAS COLT TEET ALGA
|
||||
95: OBEY MONK BOP GELD ELY ALL
|
||||
96: DUCK AIM BEND TENT FORK OAT
|
||||
97: ANA ITCH TOOL THAN CAM GIN
|
||||
98: LEAR STAG BELT BABY FEW WAY
|
||||
99: TOW CUE WELL REP GRIT MINI
|
||||
</pre>
|
||||
|
||||
<p>Incidentally, the pass-phrases get used starting at 99 and can be
|
||||
entered in upper or lower case (the spaces must be included
|
||||
however). To see what our next skey pass-phrase number is we type
|
||||
'skeyinfo':</p>
|
||||
<pre>
|
||||
member@sdf: {11} skeyinfo
|
||||
Your next otp-md4 98 sdf66315
|
||||
</pre>
|
||||
<p>This means I need to use pass-phrase #98 next time I want to login with
|
||||
an skey pass-phrase. To make obtaining the next pass-phrase easier, create
|
||||
an alias:</p>
|
||||
<pre>
|
||||
(for ksh shell; other shells work differently)
|
||||
|
||||
% alias skey-next='skey -n 1 $(skeyinfo | cut -d " " -f 4-)'
|
||||
% skey-next
|
||||
Reminder - Do not use this program while logged in via telnet or rlogin.
|
||||
Enter secret password:
|
||||
LEAR STAG BELT BABY FEW WAY
|
||||
|
||||
</pre>
|
||||
<h3>Deleting Skeys:</h3>
|
||||
<p>To delete your skeys type 'skeyinit -z' and enter your real
|
||||
password (do it via ssh session!). To verify deletion type
|
||||
'skeyinfo':</p>
|
||||
<pre>
|
||||
member@sdf: {2} skeyinit -z
|
||||
Password:
|
||||
member@sdf: {3} skeyinfo
|
||||
You have no s/key
|
||||
</pre>
|
||||
<h3>Logging in:</h3>
|
||||
<p>To connect via ssh or sftp use your usual login name and you next
|
||||
skey pass-phrase (lowercase is fine; keep the spaces). Generally, the
|
||||
password prompt will provide some visual indication that you can enter
|
||||
an skey pass-phrase:</p>
|
||||
<pre>
|
||||
% ssh member@sdf.org
|
||||
otp-md4 98 sdf66315
|
||||
S/Key Password:
|
||||
|
||||
</pre>
|
||||
<p>On some systems and/or skey implementations you must first enter the
|
||||
login "skey", then your regular login name, then the skey pass-phrase.</p>
|
||||
|
||||
<h3>References:</h3>
|
||||
<ul>
|
||||
<li>man pages for skey, skeyinit, and skeyinfo</li>
|
||||
<li>Internet search phrase "using skeys"</li>
|
||||
</ul>
|
||||
<br>
|
||||
<cite>$Id: skey_tutorial.html,v 1.5 2012/06/03 15:10:45 jgw Exp $</cite>
|
||||
Reference in New Issue
Block a user