Contributed by &a.wollman;
S/Key is a one-time password scheme based on a one-way hash function (in our version, this is MD4 for compatibility; other versions have used MD5 and DES-MAC). S/Key has been a standard part of all FreeBSD distributions since version 1.1.5, and is also implemented on a large and growing number of other systems. S/Key is a registered trademark of Bell Communications Research, Inc.
There are three different sorts of passwords which we will talk about in the discussion below. The first is your usual UNIX-style or Kerberos password; we'll call this a ``UNIX password''. The second sort is the one-time password which is generated by the S/Key `The secret password does not necessarily have anything to do with your UNIX password (while they can be the same, this is not recommended). While UNIX passwords are limited to eight characters in length, your S/Key secret password can be as long as you like; I use seven-word phrases. In general, the S/Key system operates completely independently of the UNIX password system.
There are in addition two other sorts of data involved in the S/Key
system; one is called the ``seed'' or (confusingly) ``key'', and
consists of two letters and five digits, and the other is the
``iteration count'' and is a number between 100 and 1. S/Key
constructs a one-time password from these components by concatenating
the seed and the secret password, then applying a one-way hash (the
RSA Data Security, Inc., MD4 secure hash function) iteration-count
times, and turning the result into six short English words. The
`There are four programs involved in the S/Key system which we will
discuss below. The `/etc/skeykeys file and
prints out the invoking user's current iteration count and seed.
Finally, the `There are four different sorts of operations we will cover. The first
is using the `
To initialize S/Key, change your password, or change your seed while
logged in over a secure connection (e.g., on the console of a machine),
use the `
There is a lot of information here. At the `Enter secret password:'
prompt, you should enter some password or phrase (I use phrases of
minimum seven words) which will be needed to generate login keys. The
line starting `ID' gives the parameters of your particular S/Key
instance: your login name, the iteration count, and seed. When
logging in with S/Key, the system will remember these parameters and
present them back to you so you don't have to remember them. The last
line gives the particular one-time password which corresponds to those
parameters and your secret password; if you were to re-login
immediately, this one-time password is the one you would use.
To initialize S/Key or change your password or seed over an insecure
connection, you will need to already have a secure connection to some
place where you can run the ` Before explaining how to generate one-time passwords, we should go
over an S/Key login prompt:
If this machine were configured to disallow UNIX passwords over a
connection from my machine, the prompt would have also included the
annotation `(s/key required)', indicating that only S/Key one-time
passwords will be accepted.
Now, to generate the one-time password needed to answer this login
prompt, we use a trusted machine and the ` Sometimes we have to go places where no trusted machines or
connections are available. In this case, it is possible to use the
` The configuration file /etc/skey.access can be used to
configure restrictions on the use of UNIX passwords based on the host
name, user name, terminal port, or IP address of a login session. The
complete format of the file is documented in the If there is no /etc/skey.access file (which is the default
state as FreeBSD is shipped), then all users will be allowed to use
UNIX passwords. If the file exists, however, then all users will be
required to use S/Key unless explicitly permitted to do otherwise by
configuration statements in the Here is a sample configuration file which illustrates the three most
common sorts of configuration statements: