.ll 6i .pl 10.5i .\" @(#)skey.1 1.0 (Bellcore) 7/20/93 .\" .lt 6.0i .TH KEY 1 "20 July 1993" .AT 3 .SH NAME S/key \- A proceedure to use one time passwords for accessing computer systems. .SH DESCRIPTION .I S/key is a proceedure for using one time password to authenticate access to compter systems. It uses 64 bits of information transformed by the MD4 algorithm. The user supplies the 64 bits in the form of 6 English words that are generated by a secure computer. Eg a pocket sized smart card or a PC/Macintosh, or a machine at work and printed on a sheet of paper. Example use of the S/key program .I key .sp Usage example: .sp 0 >key 99 th91334 .sp 0 Enter password: .sp 0 OMEN US HORN OMIT BACK AHOY .sp 0 > .sp The programs that are part of the S/Key system are keyinit, key, keyinfo, keysu, and keylogin. Keyinit is used to get your ID set up, key is used to get the onetime password each time, keyinfo is used to extract information from the S/Key database and the rest are system routines. For Lab 214 you must use keyinit on system latour and then telnet to system latour.bellcore.com (IP address 128.96.41.50) or if using dial\-in you will routed to system cube for S/Key by the security system. Use keyinit \-s ( for secure option) if you are doing the set up over insecure communications lines. These are telnet from outside Bellcore and MICOM dialin from off the Bellcore premises. .sp When you do "keyinit" you inform the system of your secret password. Running "key" then generates the one-time passwords, and also requires your secret password. If however, you misspell your password while running "key", you will get a list of passwords that will not work, and no indication about the problem. .sp Password reference numbers count backward from 99. If you don't know this, the syntax for "key" will be confusing. .sp When typing in your one-time password to gain access to latour, backspace (^H) can be used to make corrections. You can enter the passwords using small letters, even though the "key" program gives them in caps. When you run "key -n 10 `keyinfo` | lpr", and you do not find your printout at the printer, or in the bin of your login, or in the bin of your last name, or on the floor or any place else, you have a problem. Someone has accidentally or purposefully acquired a list of one-time passwords and your login (on the cover sheet) which give them access to your account. The only remedy is to run "keyinit" again but you do NOT have to change your secret password since the system will change the initial "key" for you. Now the missing information is useless. .sp It would be nice if the system had a way for you to advance (i.e. decrement) the counter in the database, so you could invalidate all the passwords you printed but this is not possible because of the algorithm. .sp Note the notion that one could remember a list of lists of 6 quasi-english words without writing them down is ridiculous. However, sending them to a printer without immediately retrieving the output is a big security hole. .sp Macintosh and a general purpose PC use are available. You may "download" them from the directory /usr/local/lib/key. .LP .SH SEE ALSO .BR keyinit(1), .BR keysu(1), .BR keylogin(1), .BR key(1), .BR keyinfo(1) .SH AUTHOR Command by Phil Karn, Neil M. Haller, John S. Walden .SH CONTACT staff@thumper.bellcore.com