Navigation Bar Top Applications Support Documentation Vendors Search Index Top Top
FreeBSD Handbook : Security : S/Key
Previous: Recognizing your `crypt' mechanism
Next: Secure connection initialization

6.2. S/Key

Contributed by Garrett Wollman <[email protected]>
25 September 1995.

S/Key is a one-time password scheme based on a one-way hash function (in our version, this is MD4 for compatibility; other versions have used MD5 and DES-MAC). S/Key has been a standard part of all FreeBSD distributions since version 1.1.5, and is also implemented on a large and growing number of other systems. S/Key is a registered trademark of Bell Communications Research, Inc.

There are three different sorts of passwords which we will talk about in the discussion below. The first is your usual UNIX-style or Kerberos password; we will call this a ``UNIX password''. The second sort is the one-time password which is generated by the S/Key `key' program and accepted by the `keyinit' program and the login prompt; we will call this a ``one-time password''. The final sort of password is the secret password which you give to the `key' program (and sometimes the `keyinit' program) which it uses to generate one-time passwords; we will call it a ``secret password'' or just unqualified ``password''.

The secret password does not necessarily have anything to do with your UNIX password (while they can be the same, this is not recommended). While UNIX passwords are limited to eight characters in length, your S/Key secret password can be as long as you like; I use seven-word phrases. In general, the S/Key system operates completely independently of the UNIX password system.

There are in addition two other sorts of data involved in the S/Key system; one is called the ``seed'' or (confusingly) ``key'', and consists of two letters and five digits, and the other is the ``iteration count'' and is a number between 100 and 1. S/Key constructs a one-time password from these components by concatenating the seed and the secret password, then applying a one-way hash (the RSA Data Security, Inc., MD4 secure hash function) iteration-count times, and turning the result into six short English words. The `login' and `su' programs keep track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. Because a one-way hash function is used, it is not possible to generate future one-time passwords having overheard one which was successfully used; the iteration count is decremented after each successful login to keep the user and login program in sync. (When you get the iteration count down to 1, it is time to reinitialize S/Key.)

There are four programs involved in the S/Key system which we will discuss below. The `key' program accepts an iteration count, a seed, and a secret password, and generates a one-time password. The `keyinit' program is used to initialized S/Key, and to change passwords, iteration counts, or seeds; it takes either a secret password, or an iteration count, seed, and one-time password. The `keyinfo' program examines the /etc/skeykeys file and prints out the invoking user's current iteration count and seed. Finally, the `login' and `su' programs contain the necessary logic to accept S/Key one-time passwords for authentication. The `login' program is also capable of disallowing the use of UNIX passwords on connections coming from specified addresses.

There are four different sorts of operations we will cover. The first is using the `keyinit' program over a secure connection to set up S/Key for the first time, or to change your password or seed. The second operation is using the `keyinit' program over an insecure connection, in conjunction with the `key' program over a secure connection, to do the same. The third is using the `key' program to log in over an insecure connection. The fourth is using the `key' program to generate a number of keys which can be written down or printed out to carry with you when going to some location without secure connections to anywhere (like at a conference).

6.2.1. Secure connection initialization

6.2.2. Insecure connection initialization

6.2.3. Diversion: a login prompt

6.2.4. Generating a single one-time password

6.2.5. Generating multiple one-time passwords

6.2.6. Restricting use of UNIX passwords


FreeBSD Handbook : Security : S/Key
Previous: Recognizing your `crypt' mechanism
Next: Secure connection initialization
[email protected]
Updated March 2, 1999