Using S/Key
Initializing yourself with s/key
In order to log in remotely to in, you must first register yourself with the s/key program, by running thekeyinit(1) command on in as follows:
- Log in to a local machine in the CS department, i.e. in the Sun Lab.
- Go to the machine in by using the ssh command:
% ssh in ******************************************************************** Brown University Computer Science Department Telnet Server Type "?" or "help" for a list of commands ******************************************************************** in: - Run the keyinit command. Keyinit will ask you for a secret password.
Unlike UNIX passwords, s/key passwords can be longer than 8 characters and
can contain spaces, so it is suggested that you choose a short phrase such
as "I like coconuts." NOTE: Your pass phrase should NOT be the
same as your UNIX password. keyinit will provide you with the 99th
one-time password in the sequence (this password will be echoed but never
used):
in: keyinit Updating sas: Old key: in353401 Reminder - Only use this command if you are directly connected to the Brown CS network from a local machine or via a dialup line. Enter secret password: Again secret password: ID sas s/key is 99 in353402 TALL TO FUM OUST OTT JIVE in:
- After running keyinit, be sure to test your new passwords by telnetting to in as described below. This will ensure that you have not made any typing mistakes; typos can make an entire set of one-time passwords unusable.
Logging into in using s/key
Now that you have initialized yourself with the s/key program, you can telnet or ftp to in. When you remotely log into in via the internet, the s/key progam will prompt you for the next one-time password in your sequence:% telnet in.cs.brown.edu Trying 128.148.33.15... Connected to in.cs.brown.edu. Escape character is '^]'. UNIX(r) System V Release 4.0 (in) login: sas s/key 98 in353402 (s/key required) Password:There are two ways of obtaining this one-time password. The most secure and convenient method is to use s/key software locally on the machine you are telnetting from. We have placed s/key software for the Mac, PC, and UNIX on our anonymous FTP server. When you are prompted for your one-time password, you can give the s/key count and seed as input to your local software. In this example the count and seed are 98 in353402. You will be required to type your secret pass phrase into your local software, which will then generate the 6-word one-time password. Now, just enter this one-time password at the password prompt on in. The s/key program is case insensitive, so the password does not have to be in all caps.
Another method of obtaining one-time passwords is to generate a password list. To print out your current set of 100 s/key passwords, you can run the keyprint command on in. Note that keyprint will not generate a new set of one-time passwords, but will only print your current set. Be sure you are logged into a machine locally in the department, i.e. in the Sun Lab, before running keyprint. To specify which printer to print your password list to, use the -P switch. Be sure to specify a printer; if you do not, the output of keyprint will go to your terminal. For instance, to print your password list to ps1 do the following:
in: keyprint -Pps1 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: in:
| Page Owner: Dorinda Moulton | Last Modified: Mon Jun 30 07:22:03 2008 |