DOSC TWiki snapshot as of mid-2005

Top

SKeyAuthentication


I always hated logging into my machine over ssh from public computers, despite ssh's encryption, because of the possibility of the public computer being keylogged. OpenBSD and at least some other *nix systems provide the S/Key authentication system, so I did the following while logged on to my machine locally (could be from any trusted machine over ssh, too):

$ skeyinit
<entered my user's password>
<entered a new skey password>
<repeated it>
$ skey -n 5 `skeyinfo` | lpr
<entered my skey password>

This assumes the existance of a local printer and that your lpd is careful to keep spool files non-world-readable. If you don't have such a setup, just omit | lpr and copy down the output by hand. In either case, slip the piece of paper in a hidden place in your wallet and you are good to go : ) btw, I believe there is little risk in giving an skey pass to skeyinit that is the same as your user's pass.

When you next need to log in to your machine from an untrusted box, say ssh -l myuser:skey my.machine.dartmouth.edu. Enter the last line of six words from your printout (not case sensitive) and you are logged in. You can scratch off that line now; it will never log you in successfully again.

If you want to not have to specify the username with the :skey part at the end, but use skey for that user every time you log into your machine from this untrusted host, add this to your ~/.ssh/config file on the untrusted machine:

Host my.machine.dartmouth.edu
User myuser:skey

Lastly, when you run out of one time passes on your printout, log in locally and do the same trick with skey -n 5 `skeyinfo`. 5 is the number of one time passes it gives you. You need to do this locally (or on another trusted machine over ssh) because you must enter your secret skey password.

Have fun, and be in tune with your paranoia!

AlexFerguson - 21 Apr 2003

Ok, it looks like skey isn't real common on linux systems, but default on openbsd and freebsd (don't know about netbsd). For those using rpm, there is http://rpmfind.net/linux/rpm2html/search.php?query=skey&submit=Search+...&system=&arch= or http://rpmfind.net/linux/rpm2html/search.php?query=opie&submit=Search+...&system=&arch= . Post if you try one, please.

-- Alex 22 Apr 2003

Well, I tried to install it on linux (RedHat 7.3), and the rpm installed ok. The big diffrence is all the executables are called keyinit, key, etc. rather than skeyinit, skey, etc. However, when I try to run keyinit, I got this message

[astronut@astronut astronut]$ keyinit
error in opening database: No such file or directory
[astronut@astronut astronut]$

I finally figured it out. The database is /etc/skeykeys and my normal user can't write to /etc/. I did 'sudo keyinit astronut' and it works fine now. (I hope). I may have to make the file world read/writable, or always use sudo for keyinit. I still can't log in with skey however, and am still working on this. I do not get an skey prompt when I try to log in.

--astronut 10 May 2003

$ ls -l `which skeyinit`
-r-xr-sr-x  1 root  auth  20480 Mar 29 04:13 /usr/bin/skeyinit
$ ls -ld /etc/skey
drwx-wx--T  2 root  auth  512 Apr 21 17:39 /etc/skey

There's your (first) problem. The skeyinit/keyinit executable needs to be sgid so it can read and write the skey database. Making the database world readable or writeable would be a Bad Idea (TM) because any user could read or change another's passes. skeyinfo/keyinfo also must be sgid auth. (Your user names may differ.)

--Alex