Home > NetBSD, Unix > One Time Password authentication system

One Time Password authentication system

December 17th, 2008 Leave a comment Go to comments

S/key is an one time password authentication (OTP) system that prevent you from sending password in clear.
It’s especially useful with system like telnet.

It’s quite easy to setup on NetBSD. To start, run

# skeyinit -s <user>
[Adding user]
You need the 6 english words generated from the "skey" command.
Enter sequence count from 1 to 10000: Enter anything you want
Enter new seed [default NetB14423]: Just press return or enter something else
otp-md4 <sequence count> <seed>
s/key access password: <Follow instruction bellow>

To get the s/key access password, you have to run the following command but be careful to do not run it on the remote host through telnet, run it locally !

# skey <sequence count you entered for skeyinit> <seed you use in skeyinit>

This will ask you for a password (use a secure one) and give you 6 english word, use them to complete the “s/key access password:” question.

Your S/Key authentification is ready !


Next time you do a telnet connexion to the host you will get this prompt

login: <put your username>
Password [otp-md4 <random number> <seed you use in skeyinit>]:

To know the 6 english word password to use, you have to run the following command (on you local computer for example)

# skey <random number> <seed you use in skeyinit>

In fact the random number will be incremented by one each time you log in. You can easily generate (in advance) all 6 english word password for number X to Z, with the following command (another time, run this locally) :

skey -n (Z-X) Z <seed you use in skeyinit>

Z-X is the number of password to generate. Z mean the last generated password is for random number Z

N.B: You clear password will still work if you use it.


Related link: S/Key on Wikipedia

Categories: NetBSD, Unix Tags:
  1. No comments yet.
  1. No trackbacks yet.