Tika.Arnholm.nu

Tika.Arnholm.nu Tika.Arnholm.NU

S/Key

Detta dokument är ett utdrag ur OpenBSD FAQ om hur man använder S/Key vilket är ett ``one-time password´´ system. Det will säga att ett lösen ord bara kan användas en gång. Detta gör att det inte är farligt om lösenordet uppfattas på vägen över ett oskyddat nät. (T.ex. Internet). På tika är detta främst tänkt att användas för att logga in med ftp. Telnet tjänsen är inte på slagen utan du skall använda ssh i stället. Tyvärr känner jag ännu inte till någon fri ssh för Amiga OS, men till windows maskiner kan TTssh rekomenderas.

För att använda S/Key i praktiken kan man skapa en lista över de nästa lösenorden och ha med sig denna. På listan kan man stryka de lösen ord man matat in och på så sätt hålla listan uppdaterad.

OpenBSD's Faq om S/Key

S/Key is a ``one-time password'' scheme. This allows for one-time passwords for use on un-secured channels. This can come very handy for those who don't have the ability to use ssh or any other encrypted channels. OpenBSD's S/Key implementation can use a variety of algorithms as the one-way hash. Here is the list of algorithms available:

Setting up S/Key - The first steps

To start off the file /etc/skeykeys must exist. If this file is not in existence, have the super-user create it. This can be done simply by doing:

# touch /etc/skeykeys

Once that file is in existence, you can initalize your S/Key. To do this you will have to use skeyinit(1). With skeyinit(1), you will first be prompted for your password to the system. This is the same password that you used to log into the system. Running skeyinit(1) over an insecure channel is completely not recommended, so this should be done over a secure channel (such as ssh) or the console. Once you have authorized yourself with your system password you will be asked for yet another password. This password is the secret password, and is NOT your system password. The secret password is not limited to 8 characters like system passwords, actually it must be at least 10 characters. A few word phrases are suggested. Here is an example user being added.

oshibana:ericj> skeyinit ericj
[Adding ericj]
Reminder - Only use this method if you are directly connected
           or have an encrypted channel.  If you are using telnet
           or rlogin, exit with no password and use skeyinit -s.
Enter secret password:
Again secret password:

ID ericj skey is otp-md5 99 oshi45820             
Next login password: HAUL BUS JAKE DING HOT HOG

One line of particular importance in here is ID ericj skey is otp-md5 99 oshi45820. This gives a lot of information to the user. Here is a breakdown of the sections and their importance.

otp-md5 - This shows which one-way was used to create your One-Time Password (otp).
99 - This is your sequence number. This is a number from 100 down to 1. Once it reaches one, another secret password must be created.
oshi45820 - This is your key.

But of more immediate importance is your password. Your password consists of 6 small words, combined together this is your password, spaces and all.

Actually using S/Key to login.

By now your skey has been initialized, and you have your password. You're ready to login. Here is an example session using s/key to login.

oshibana:ericj> ftp localhost
Connected to localhost.
220 oshibana.shin.ms FTP server (Version 6.4/OpenBSD) ready.
Name (localhost:ericj): ericj
331 Password [ otp-md5 96 oshi45820 ] for ericj required.
Password:
230- OpenBSD 2.5-current (OSHIBANA) #8: Tue Jun 22 19:20:16 EDT 1999
230-
230- Welcome to OpenBSD: The proactively secure Unix-like operating system.
230-
230- Please use the sendbug(1) utility to report bugs in the system.
230- Before reporting a bug, please try to reproduce it with the latest
230- version of the code.  With bug reports, please try to ensure that
230- enough information to reproduce the problem is enclosed, and if a
230- known fix for it exists, include that as well.
230-
230 User ericj logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

Some of you might have noticed that my sequence number has changed. otp-md5 96 oshi45820. This is because by now I have used s/key to login several times. But how do you get your password after you've logged in once? Well to do this, you'll need to know what sequence number you're using and your key. As you're probably thinking, how can you remember which sequence number you're on? Well this is simple, use skeyinfo(1), and it will tell you what to use. For example here, I need to generate another password for a login that I might have to make in the future. (remember I'm doing this from a secure channel).

oshibana:ericj> skeyinfo
95 oshi45820

From this I can create the password for my next login. To do so, I'll use skey(1). I can use exactly that output from above to create my password.

oshibana:ericj> skey 95 oshi45820
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
NOOK CHUB HOYT SAC DOLE FUME

I'm sure many of you won't always have a secure connect to create these passwords, and creating them over an insecure connection isn't feasible, so how can you create multiple passwords at one time? Well you can supply skey(1) with a number of how many passwords you want created. This can then be printed out and taken with you wherever you go.

oshibana:ericj> skey -n 5 95 oshi45820
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
91: SHIM SET LEST HANS SMUG BOOT
92: SUE ARTY YAW SEED KURD BAND
93: JOEY SOOT PHI KYLE CURT REEK
94: WIRE BOGY MESS JUDE RUNT ADD
95: NOOK CHUB HOYT SAC DOLE FUME

Notice here though, that the bottom password should be the first used, because we are counting down from 100.

Using S/Key with telnet(1) and rlogin(1)

Using S/Key with telnet(1) and rlogin(1) is done in pretty much the same fashion as with ftp, only your first password must be "s/key". Example:

ericj@oshibana> telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

OpenBSD/i386 (oshibana) (ttyp2)

login: ericj
Password:              <------------ "s/key" entered.
otp-md5 98 oshi45821
Response: SCAN OLGA BING PUB REEL COCA
Last login: Thu Oct  7 12:21:48 on ttyp1 from 156.63.248.77
Warning: no Kerberos tickets issued.
OpenBSD 2.5-current (OSHIBANA) #4: Thu Sep  2 23:36:16 EDT 1999

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

You have mail.
ericj@oshibana>

Controlling S/Key

For more control over S/Key there is the /etc/skey.access file. (This does not exist by default, so it must be created.) This file can restrict S/Key in three primary ways.

permit internet - Which will allow certain IPs to connect and use s/key.
permit user - Which will allow users by login name access to s/key use.
permit port - Which is really only useful for assigned ports, (ie dial-up)

If I wanted to allow one single user ( ericj ), from a certain IP ( 10.1.1.5 ), I would create a file like so.

# cat /etc/skey.access
permit internet 10.1.1.5
permit user ericj