freemode.net

Using skey    [ Software ]

I've just got the old SPARCclassic upgraded to OpenBSD 3.6-current, and I wanted to get skey authentication with SSH working on it.

If you want to use skey auth, you first need to initialize skey. Do this by running 'skeyinit' on the SSH server, authenticate yourself with your login password, and create a new secret password. Do not share this secret password, and do not send this secret password across an unencrypted or insecure connection.

When you next log into the server with SSH (you may need to append ':skey' to your login name), you'll be prompted with a challenge string that looks like this:

otp-md5 99 foo12345

You'll then need a client-side program that takes this challenge string (the encryption descriptor, an index and the seed) and combines it with your secret password to generate the one-time password. You then type in the resulting OTP to log into the server.

You'll get a finite number of challenge strings after initializing the system with your secret password (100 by default). After you've run through enough of these, you'll need to re-generate the series with a fresh seed. You can do this once you're logged in via SSH or another secure, encrypted channel by running the 'skeyinit' command again.

Here's links to some useful skey/OTP clients:

One Time Passwords   Google directory entries for One Time Passwords
WinKey32   Windows
OTPgen   Windows
SkeyCalc   Mac
OPIE   Unix, Linux and other platforms
OTPgen Lite   J2ME-enabled mobile phones
jotp   Java applet