crypt' mechanismContributed by Garrett Wollman
<wollman@FreeBSD.ORG>
25 September 1995.
S/Key is a one-time password scheme based on a one-way hash function (in our version, this is MD4 for compatibility; other versions have used MD5 and DES-MAC). S/Key has been a standard part of all FreeBSD distributions since version 1.1.5, and is also implemented on a large and growing number of other systems. S/Key is a registered trademark of Bell Communications Research, Inc.
There are three different sorts of passwords which we will talk about
in the discussion below. The first is your usual UNIX-style or Kerberos
password; we will call this a ``UNIX password''. The second sort is the
one-time password which is generated by the S/Key `key' program and
accepted by the `keyinit' program and the login prompt; we will call
this a ``one-time password''. The final sort of password is the
secret password which you give to the `key' program (and sometimes the
`keyinit' program) which it uses to generate one-time passwords; we will
call it a ``secret password'' or just unqualified ``password''.
The secret password does not necessarily have anything to do with your UNIX password (while they can be the same, this is not recommended). While UNIX passwords are limited to eight characters in length, your S/Key secret password can be as long as you like; I use seven-word phrases. In general, the S/Key system operates completely independently of the UNIX password system.
There are in addition two other sorts of data involved in the S/Key
system; one is called the ``seed'' or (confusingly) ``key'', and
consists of two letters and five digits, and the other is the
``iteration count'' and is a number between 100 and 1. S/Key
constructs a one-time password from these components by concatenating
the seed and the secret password, then applying a one-way hash (the
RSA Data Security, Inc., MD4 secure hash function) iteration-count
times, and turning the result into six short English words. The
`login' and `su' programs keep track of the last one-time
password used, and the user is authenticated if the hash of the
user-provided password is equal to the previous password. Because a
one-way hash function is used, it is not possible to generate future
one-time passwords having overheard one which was successfully used;
the iteration count is decremented after each successful login to keep
the user and login program in sync. (When you get the iteration count
down to 1, it is time to reinitialize S/Key.)
There are four programs involved in the S/Key system which we will
discuss below. The `key' program accepts an iteration count, a
seed, and a secret password, and generates a one-time password. The
`keyinit' program is used to initialized S/Key, and to change
passwords, iteration counts, or seeds; it takes either a secret
password, or an iteration count, seed, and one-time password. The
`keyinfo' program examines the /etc/skeykeys file and
prints out the invoking user's current iteration count and seed.
Finally, the `login' and `su' programs contain the necessary
logic to accept S/Key one-time passwords for authentication. The
`login' program is also capable of disallowing the use of UNIX
passwords on connections coming from specified addresses.
There are four different sorts of operations we will cover. The first
is using the `keyinit' program over a secure connection to set up
S/Key for the first time, or to change your password or seed. The
second operation is using the `keyinit' program over an insecure
connection, in conjunction with the `key' program over a secure
connection, to do the same. The third is using the `key' program to
log in over an insecure connection. The fourth is using the `key'
program to generate a number of keys which can be written down or
printed out to carry with you when going to some location without
secure connections to anywhere (like at a conference).
crypt' mechanism