S/KEY
Contents |
About
S/KEYs are one time use passwords. You can use them if you need to provide passwords where someone may be monitoring your keystrokes. S/keys are generated randomly, usually around 100 are generated at one time, with a passphrase as a key. (This passphrase is independent of your main system password.)
Install
First emerge the 'skey' package
emerge -av sys-auth/skey
And set the skey USE flag in /etc/make.conf
Then re-emerge any packages that support skeys.
emerge -avN world
Now generate the skeys for the users you wish to use with it:
As root:
skeyinit USER
As a regular user:
skeyinit
And follow the instructions.
Notes
Currently Gentoo does not have a PAM module* for Skey so you will need to depend on individual programs that have been modified to take Skey into account. SSH does this automatically.
One notable application is sudo. It can only use PAM or Skey but not both as SSH does. One way of working around this is to emerge sudo with -pam +skey and then rename /usr/bin/sudo to /usr/bin/sudo-skey Then emerge it again with pam defined. Note that you will need to remember to do this each time a new version of sudo is released. There exists a pam module for skey called "sys-auth/pam_skey"
OpenSSH
I got it working with SSH so I thought someone might like an example. Hope you don't mind. Make sure you read the above documentation!
| File: /etc/ssh/sshd_config |
Port 22 Protocol 2 AllowUsers jdoe Ciphers blowfish-cbc,aes256-cbc,aes256-ctr PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no IgnoreRhosts yes IgnoreUserKnownHosts yes StrictModes yes RhostsRSAAuthentication no RSAAuthentication yes UsePrivilegeSeparation yes LoginGraceTime 30 MaxStartups 5 MaxAuthTries 6 HostKey /etc/ssh/ssh_host_dsa_key ChallengeResponseAuthentication yes |
Note: I had to disable PAM and enable ChallengeResponseAuthentication. Restart ssh and then do the following in two seperate shells.
(actually you dont have to disable PAM, just press enter for the first login password prompt, or rearrange pam modules)
| Code: Shell 1 |
$ ssh localhost otp-md5 95 lapt77187 S/Key Password: |
| Code: Shell 2 |
$ skey 95 lapt77187 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: <password you set with skeyinit> WHOM FEE MOT GRAY SWAM IO |
| Code: Shell 1 |
S/Key Password: WHOM FEE MOT GRAY SWAM IO Last login: Tue Dec 6 15:10:58 2005 from localhost |
That's it. You are loged in via s/key and if the password is wrong, it kicks you out and doesn't offer another type of authentication!
Generating S/Key One-time-passwords
There are two possibilietes: Pregenerate a list of passwords and carry it with you, or generate them when needed. However, you should never generate a one-time password on a machine you can't absolutely trust, as this would reveal your password. There is an easy and more secure way to generate one-time passwords on the go, as long as you own a mobile phone supporting Java: jOTP, a java One-Time-Password generator.
See also
- S/KEY tutorial
- heise security: One time passwords for home users, also available in german: heise security: Einmalpasswörter für den Heimgebrauch
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and list their apartments, townhouses and units.