Contributed by Garrett Wollman <wollman@FreeBSD.org> 25 September 1995.
S/Key is a one-time password scheme based on a one-way hash function (in our version, this is MD4 for compatibility; other versions have used MD5 and DES-MAC). S/Key has been a standard part of all FreeBSD distributions since version 1.1.5, and is also implemented on a large and growing number of other systems. S/Key is a registered trademark of Bell Communications Research, Inc.
There are three different sorts of passwords which we will talk about in the discussion below. The first is your usual UNIX-style or Kerberos password; we will call this a ``UNIX password''. The second sort is the one-time password which is generated by the S/Key key program and accepted by the keyinit program and the login prompt; we will call this a ``one-time password''. The final sort of password is the secret password which you give to the key program (and sometimes the keyinit program) which it uses to generate one-time passwords; we will call it a ``secret password'' or just unqualified ``password''.
The secret password does not necessarily have anything to do with your UNIX password (while they can be the same, this is not recommended). While UNIX passwords are limited to eight characters in length, your S/Key secret password can be as long as you like; I use seven-word phrases. In general, the S/Key system operates completely independently of the UNIX password system.
There are in addition two other sorts of data involved in the S/Key system; one is called the ``seed'' or (confusingly) ``key'', and consists of two letters and five digits, and the other is the ``iteration count'' and is a number between 100 and 1. S/Key constructs a one-time password from these components by concatenating the seed and the secret password, then applying a one-way hash (the RSA Data Security, Inc., MD4 secure hash function) iteration-count times, and turning the result into six short English words. The login and su programs keep track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. Because a one-way hash function is used, it is not possible to generate future one-time passwords having overheard one which was successfully used; the iteration count is decremented after each successful login to keep the user and login program in sync. (When you get the iteration count down to 1, it is time to reinitialize S/Key.)
There are four programs involved in the S/Key system which we will discuss below. The key program accepts an iteration count, a seed, and a secret password, and generates a one-time password. The keyinit program is used to initialized S/Key, and to change passwords, iteration counts, or seeds; it takes either a secret password, or an iteration count, seed, and one-time password. The keyinfo program examines the /etc/skeykeys file and prints out the invoking user's current iteration count and seed. Finally, the login and su programs contain the necessary logic to accept S/Key one-time passwords for authentication. The login program is also capable of disallowing the use of UNIX passwords on connections coming from specified addresses.
There are four different sorts of operations we will cover. The first is using the keyinit program over a secure connection to set up S/Key for the first time, or to change your password or seed. The second operation is using the keyinit program over an insecure connection, in conjunction with the key program over a secure connection, to do the same. The third is using the key program to log in over an insecure connection. The fourth is using the key program to generate a number of keys which can be written down or printed out to carry with you when going to some location without secure connections to anywhere (like at a conference).
To initialize S/Key, change your password, or change your seed while logged in over a secure connection (e.g., on the console of a machine), use the keyinit command without any parameters while logged in as yourself:
% keyinit Updating wollman: ) these will not appear if you Old key: ha73895 ) have not used S/Key before Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: ) I typed my pass phrase here Again secret password: ) I typed it again ID wollman s/key is 99 ha73896 ) discussed below SAG HAS FONT GOUT FATE BOOM )
There is a lot of information here. At theEnter secret password: prompt, you should enter some password or phrase (I use phrases of minimum seven words) which will be needed to generate login keys. The line starting `ID' gives the parameters of your particular S/Key instance: your login name, the iteration count, and seed. When logging in with S/Key, the system will remember these parameters and present them back to you so you do not have to remember them. The last line gives the particular one-time password which corresponds to those parameters and your secret password; if you were to re-login immediately, this one-time password is the one you would use.
To initialize S/Key or change your password or seed over an insecure connection, you will need to already have a secure connection to some place where you can run the key program; this might be in the form of a desk accessory on a Macintosh, or a shell prompt on a machine you trust (we will show the latter). You will also need to make up an iteration count (100 is probably a good value), and you may make up your own seed or use a randomly-generated one. Over on the insecure connection (to the machine you are initializing), use the keyinit -s command:
% keyinit -s Updating wollman: Old key: kh94741 Reminder you need the 6 English words from the skey command. Enter sequence count from 1 to 9999: 100 ) I typed this Enter new key [default kh94742]: s/key 100 kh94742
To accept the default seed (which the keyinit program confusingly calls a key), press return. Then move over to your secure connection or S/Key desk accessory, and give it the same parameters:
% key 100 kh94742 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: ) I typed my secret password HULL NAY YANG TREE TOUT VETO
Now switch back over to the insecure connection, and copy the one-time password generated by key over to the keyinit program:
s/key access password: HULL NAY YANG TREE TOUT VETO ID wollman s/key is 100 kh94742 HULL NAY YANG TREE TOUT VETO
The rest of the description from the previous section applies here as well.
Before explaining how to generate one-time passwords, we should go over an S/Key login prompt:
% telnet himalia Trying 184.108.40.206... Connected to himalia.lcs.mit.edu. Escape character is '^]'. s/key 92 hi52030 Password:
Note that, before prompting for a password, the login program prints out the iteration number and seed which you will need in order to generate the appropriate key. You will also find a useful feature (not shown here): if you press return at the password prompt, the login program will turn echo on, so you can see what you are typing. This can be extremely useful if you are attempting to type in an S/Key by hand, such as from a printout.
If this machine were configured to disallow UNIX passwords over a connection from my machine, the prompt would have also included the annotation (s/key required), indicating that only S/Key one-time passwords will be accepted.
Now, to generate the one-time password needed to answer this login prompt, we use a trusted machine and the key program. (There are versions of the key program from DOS and Windows machines, and there is an S/Key desk accessory for Macintosh computers as well.) The command-line key program takes as its parameters the iteration count and seed; you can cut-and-paste right from the login prompt starting at key to the end of the line. Thus:
% key 92 hi52030 ) pasted from previous section Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: ) I typed my secret password ADEN BED WOLF HAW HOT STUN
And in the other window:
s/key 92 hi52030 ) from previous section Password: (turning echo on) Password:ADEN BED WOLF HAW HOT STUN Last login: Wed Jun 28 15:31:00 from halloran-eldar.l [etc.]
This is the easiest mechanism if you have a trusted machine. There is a Java S/Key key applet, The Java OTP Calculator, that you can download and run locally on any Java supporting browser.
Sometimes we have to go places where no trusted machines or connections are available. In this case, it is possible to use the key command to generate a number of one-time passwords in the same command; these can then be printed out. For example:
% key -n 25 57 zz99999 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: 33: WALT THY MALI DARN NIT HEAD 34: ASK RICE BEAU GINA DOUR STAG ... 56: AMOS BOWL LUG FAT CAIN INCH 57: GROW HAYS TUN DISH CAR BALM
The -n 25 requests twenty-five keys in sequence; the 57 indicates the ending iteration number; and the rest is as before. Note that these are printed out in reverse order of eventual use. If you are really paranoid, you might want to write the results down by hand; otherwise you can cut-and-paste into lpr. Note that each line shows both the iteration count and the one-time password; you may still find it handy to scratch off passwords as you use them.
The configuration file /etc/skey.access can be used to configure restrictions on the use of UNIX passwords based on the host name, user name, terminal port, or IP address of a login session. The complete format of the file is documented in the skey.access(5) manual page; there are also some security cautions there which should be read before depending on this file for security.
If there is no /etc/skey.access file (which is the default state as FreeBSD is shipped), then all users will be allowed to use UNIX passwords. If the file exists, however, then all users will be required to use S/Key unless explicitly permitted to do otherwise by configuration statements in the skey.access file. In all cases, UNIX passwords are permitted on the console.
Here is a sample configuration file which illustrates the three most common sorts of configuration statements:
permit internet 220.127.116.11 255.255.0.0 permit user jrl permit port ttyd0
The first line (permit internet) allows users whose IP source address (which is vulnerable to spoofing) matches the specified value and mask, to use UNIX passwords. This should not be considered a security mechanism, but rather, a means to remind authorized users that they are using an insecure network and need to use S/Key for authentication.
The second line (permit user) allows the specified user to use UNIX passwords at any time. Generally speaking, this should only be used for people who are either unable to use the key program, like those with dumb terminals, or those who are uneducable.
The third line (permit port) allows all users logging in on the specified terminal line to use UNIX passwords; this would be used for dial-ups.