diff options
Diffstat (limited to 'usr.bin/key/README.WZV')
-rw-r--r-- | usr.bin/key/README.WZV | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/usr.bin/key/README.WZV b/usr.bin/key/README.WZV new file mode 100644 index 0000000..a13f3b5 --- /dev/null +++ b/usr.bin/key/README.WZV @@ -0,0 +1,100 @@ +One of the nice things of S/Key is that it still leaves you the option +to use regular UNIX passwords. In fact, the presence of S/Key support +is completely invisible for a user until she has set up a password with +the keyinit command. You can permit regular UNIX passwords for local +logins, while at the same time insisting on S/Key passwords for logins +from outside. + +ORIGIN + +These files are modified versions of the s/key files found on +thumper.bellcore.com at 21 oct 1993. They have been fixed to +run on top of SunOS 4.1.3 and Solaris 2.3. + +Installation is described at the end of this file. + +USAGE + +Use the keyinit command to set up a new series of s/key passwords. + + wzv_6% keyinit + Updating wietse: + Old key: wz173500 + Reminder - Only use this method if you are direct connected. + If you are using telnet or dial-in exit with no password and use keyinit -s. + Enter secret password: + Again secret password: + + ID wietse s/key is 99 wz173501 + BLAH BLA BLAH BLAH BLAH BLA + +Be sure to make your secret password sufficiently long. Try using a +full sentence instead of just one single word. + +You will have to do a "keyinit" on every system that you want to login +on using one-time passwords. + +Whenever you log into an s/key protected system you will see +something like: + + login: wietse + s/key 98 wz173501 + Password: + +In this case you can either enter your regular UNIX password or +your one-time s/key password. For example, I open a local window +to compute the password: + + local% key 98 wz173501 + Reminder - Do not use key while logged in via telnet or rlogin. + Enter secret password: + BLAH BLA BLAH BLAH BLAH BLA + +The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password. + +If you have to type the one-time password in by hand, it is convenient +to have echo turned on so that you can correct typing errors. Just type +a newline at the "Password:" prompt: + + login: wietse + s/key 98 wz173501 + Password: (turning echo on) + Password:BLAH BLA BLAH BLAH BLAH BLA + +The 98 in the challenge will be 97 the next time, and so on. You'll get +a warning when you are about to run out of s/key passwords, so that you +will have to run the keyinit command again. + +Sometimes it is more practical to carry a piece of paper with a small +series of one-time passwords. You can generate the list with: + + % key -n 10 98 wz173501 + 98: BLAH BLA BLAH BLAH BLAH BLA + 97: ... + 96: ... + +Be careful when printing material like this! + +INSTALLATION + +To install, do: make sunos4 (or whatever), then: make install. + +The UNIX password is always permitted with non-network logins. By +default, UNIX passwords are always permitted (the Bellcore code by +default disallows UNIX passwords but I think that is too painful). In +order to permit UNIX passwords only with logins from specific networks, +create a file /etc/skey.access. For example, + + # First word says if UNIX passwords are to be permitted or denied. + # remainder of the rule is a networknumber and mask. A rule matches a + # host if any of its addresses satisfies: + # + # network = (address & mask) + # + #what network mask + permit 131.155.210.0 255.255.255.0 + deny 0.0.0.0 0.0.0.0 + +This particular example will permit UNIX passwords with logins from any +host on network 131.155.210, but will insist on one-time passwords in +all other cases. |