One of the nice things of S/Key is that it still leaves you the option to use regular UNIX passwords. In fact, the presence of S/Key support is completely invisible for a user until she has set up a password with the keyinit command. You can permit regular UNIX passwords for local logins, while at the same time insisting on S/Key passwords for logins from outside. ORIGIN These files are modified versions of the s/key files found on thumper.bellcore.com at 21 oct 1993. They have been fixed to run on top of SunOS 4.1.3 and Solaris 2.3. Installation is described at the end of this file. USAGE Use the keyinit command to set up a new series of s/key passwords. wzv_6% keyinit Updating wietse: Old key: wz173500 Reminder - Only use this method if you are direct connected. If you are using telnet or dial-in exit with no password and use keyinit -s. Enter secret password: Again secret password: ID wietse s/key is 99 wz173501 BLAH BLA BLAH BLAH BLAH BLA Be sure to make your secret password sufficiently long. Try using a full sentence instead of just one single word. You will have to do a "keyinit" on every system that you want to login on using one-time passwords. Whenever you log into an s/key protected system you will see something like: login: wietse s/key 98 wz173501 Password: In this case you can either enter your regular UNIX password or your one-time s/key password. For example, I open a local window to compute the password: local% key 98 wz173501 Reminder - Do not use key while logged in via telnet or rlogin. Enter secret password: BLAH BLA BLAH BLAH BLAH BLA The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password. If you have to type the one-time password in by hand, it is convenient to have echo turned on so that you can correct typing errors. Just type a newline at the "Password:" prompt: login: wietse s/key 98 wz173501 Password: (turning echo on) Password:BLAH BLA BLAH BLAH BLAH BLA The 98 in the challenge will be 97 the next time, and so on. You'll get a warning when you are about to run out of s/key passwords, so that you will have to run the keyinit command again. Sometimes it is more practical to carry a piece of paper with a small series of one-time passwords. You can generate the list with: % key -n 10 98 wz173501 98: BLAH BLA BLAH BLAH BLAH BLA 97: ... 96: ... Be careful when printing material like this! INSTALLATION To install, do: make sunos4 (or whatever), then: make install. The UNIX password is always permitted with non-network logins. By default, UNIX passwords are always permitted (the Bellcore code by default disallows UNIX passwords but I think that is too painful). In order to permit UNIX passwords only with logins from specific networks, create a file /etc/skey.access. For example, # First word says if UNIX passwords are to be permitted or denied. # remainder of the rule is a networknumber and mask. A rule matches a # host if any of its addresses satisfies: # # network = (address & mask) # #what network mask permit 131.155.210.0 255.255.255.0 deny 0.0.0.0 0.0.0.0 This particular example will permit UNIX passwords with logins from any host on network 131.155.210, but will insist on one-time passwords in all other cases.