Date: Wed, 6 Nov 2002 01:59:57 -0500 From: Jim <jconner@enterit.com> To: freebsd-questions@FreeBSD.ORG Subject: Fwd: Re: Help with s/key Message-ID: <200211060640.gA66eep07913@quasi.concon.homeip.net>
next in thread | raw e-mail | index | archive | help
S/Key is a pretty nifty way of sending garbled passwords over cleartext means
(telnet). It was sort of a pre-cursor to ssh. Although widely used still,
it is somewhat obsolete...but then, one can never be too paranoid, right? :)
So, let me 'splain...
| Sincerely, I don't understand this stuff. I've tried to read it.
| Is anyone willing to tell me the advantages of s/key and whether I should
| use it?
|
| This is what happens:
|
| <cut>
| wash@ns2 ('tty') ~ 479 -> ssh newhost
| otp-md5 105 ba3562 ext
| S/Key Password:
Ok, right here is where you would get the s/key encryption generator thingy
out (in windows you can use winkey (google it)). There is a *nix command
that will do it too, although, at this time, I can't remember the name of it.
In short, what you would do, provided s/key has a valid passwd for the user
you are trying to login as (its a separate file in /etc generally called
opeykeys, iirc) when you get the prompt above you would copy the
challenge: otp-md5 105 ba3562 ext
(you really only need the 105 ba3562 but using the whole thing is harmless).
Then you paste that into winkey or the unix equivalent (again, can't remember
what that is called now...Im doing this all from memory and its been well
over four years since I've used s/key). When you press enter you will br
prompted for your password (again, not the system passwd necessarily but the
one you set yourself up with for skey which is reflected in the /etc/opeykeys
file). Then you will get a strange set of words that look similar to:
HAPPY DESKS AUTOS MAILBOX PEOPLE BLAH
That is what you then copy and paste back to skey at the "S/Key Password:"
prompt and VOILA...assuming you typed your password correctly you should be
granted access.
There are a few neato things about skey. As the admin, when you set someone
up with an skey account (and if skey is the only login method allowed for
your machine) you set that person up with a certain number of allowed logins
(in the case above, the number left for the allowed logins is 105). This
number decrements upon every login attempt (iirc....might be every successful
login but I am pretty sure its every attempt). When this number hits 0 that
user is no longer allowed to attempt to login until you, as the admin, makes
that number > 0.
Openssh will use s/key as a backup method of logging in. Rightly so, if you
think about it you do NOT want to send your passwords cleartext over telnet
connections. You're begging for trouble if you do that. S/Key makes it so
that you can send your password over telnet in cleartext without a cracker
easily getting your password from the wire. S/Key, last I checked, by
default uses MD5 hashes but I know it can use DSA and MD4 and perhaps other
algorythms as well.
What you are seeing below, if Im not mistaking, is openssh falling back to
different login methods. Its probably going in this order: private key,
s/key, then password.
Hope this helps. If I got anything wrong please correct me. I really mean
it that I haven't used S/Key in a loooong time. But I used to use it all the
time on my servers until ssh became popular.
- Jim
| otp-md5 172 ba9156 ext
| S/Key Password:
| otp-md5 236 ba7561 ext
| S/Key Password:
| wash@newhost.wananchi.com's password:
| Last login: Fri Nov 1 18:31:46 2002 from 62.8.64.13
| Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
| The Regents of the University of California. All rights reserved.
| FreeBSD 4.6.2-RELEASE (backup) #0: Fri Oct 11 19:02:55 GMT 2002
|
|
| Welcome to RBS backup server!
|
|
| bash-2.05a$
| </cut>
|
|
|
| Thanks
|
| -Wash
--
- Jim
-------------------------------------------------------
--
- Jim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211060640.gA66eep07913>