S/Key is a One Time Password (OTP) authentication system. It is intended to be used when the communication channel between a user and host is not secure (e.g. not encrypted or hardwired). Since each password is used only once, even if it is "seen" by a hostile third party, it cannot be used again to gain access to the host.
S/Key uses 64 bits of information, transformed by the MD4 algorithm into 6 English words. The user supplies the words to authenticate himself to programs like
login(1) or
ftpd(8).
Example use of the
S/Key program
skey:
% skey 99 th91334
Enter password: <your secret password is entered here>
OMEN US HORN OMIT BACK AHOY
%
The string that is given back by
skey can then be used to log into a system.
The programs that are part of the
S/Key system are:
used to set up your S/Key.
skey
used to get the one time password(s).
used to initialize the S/Key database for the specified user. It also tells the user what the next challenge will be.
used to inform users that they will soon have to rerun
skeyinit(1).
When you run
skeyinit(1) you inform the system of your secret password. Running
skey then generates the one-time password(s), after requiring your secret password. If however, you misspell your secret password that you have given to
skeyinit(1) while running
skey you will get a list of passwords that will not work, and no indication about the problem.
Password sequence numbers count backward from 99. You can enter the passwords using small letters, even though
skey prints them capitalized.
The
-n count argument asks for
count password sequences to be printed out ending with the requested sequence number.
The hash algorithm is selected using the
-t hash option, possible choices here are md4, md5 or sha1.
The
-p password allows the user to specify the
S/Key password on the command line.
To output the S/Key list in hexadecimal instead of words, use the
-x option.