The
| |||||||||||||||
The s/key client software can be downloaded from
anonymous ftp.If you use Netscape, be sure to select these links with the shift key down. Explorer will Do The Right Thing. | Linux | SunOS4 | SunOS5 |
| HPUX | Ultrix | IRIX |
| MacOS | DOS | NeXT |
| Windows95 | OS/2 | Windows |
After downloading the executable, place it in a directory that is in
your path. Rename the executable key or
winkey.exe, which ever is appropriate. With Unix,
be sure that the executable permission bits are set. The Macintosh
executable is in binhex format, so simply drag the icon on top of the
stuffit icon to decompress into a clickable Mac application.
s/key
Screen dumps of s/key on:
Macintosh
,
Windows95
,
Unix
Suppose that you are on the outside of the MSRI network, and you want to establish a connection for network services with a machine inside the network, e.g. the machine in your office here, woody, for example. The basic procedure is:
telnet or ftp] on the firewall, msri.org,
In more detail, for 1), instead of typing:
yourRemotePrompt% ftp woody.msri.orgor
yourRemotePrompt% telnet woody.msri.orgyou would type:
yourRemotePrompt% ftp msri.orgor
yourRemotePrompt% telnet msri.org
At step 2), msri.org will ask for your username here and then issue an
s/key challenge, something like:
s/key 536 hi102349You respond to this with the one time password that you have generated using the
s/key client software by giving
it the initial input consisting of the sequence number 536, and
the seed hi102349, and interactively supplying your secret pass
phrase when asked. The one time password that the client generates
will be a short poem, for example:
YAWL SULK SOUR COVE SILO NECKThe server will check this and then, if appropriate, let you in. Note that the client will always generate a one time password, even with incorrect input. If it denies you access, try again. If you try unsuccessfully to authenticate yourself 5 times within 3 minutes, the authentication server will temporarily disable your account.
In step 3), after you are authenticated, the proxy server on
msri.org is waiting to be told the name of the internal
machine. You supply that, the proxy is completed, and you are ready to
proceed just as though you had originally telnet-ed or
ftp-ed directly to woody. When woody
responds, you simply supply your username and ordinary MSRI
password and the session proceeds transparently through the firewall.
There are more detailed instruction the appropriate sections of in the MSRI Computer
Handbook for telnet and
ftp, respectively.
Each of the proxies on msri.org also gives a telegraphic set of instructions upon the initial connection.
s/keys/key is a one-time password system. It secures your
system by making playback attacks against user passwords
computationally infeasible.
When you are challenged for a password by s/key, it
provides you with a sequence number, n, and a seed. You enter
the sequence number and seed into your s/key response
calculator and also enter a secret pass phrase. This secret pass
phrase should not be typed over an insecure channel. If you restrict
yourself to typing the secret pass phrase only on your local machine
which has not been compromised by hackers, the secret pass phrase should remain
secure.
The s/key calculator combines the secret pass phrase with
the key and MD4 hashes it n times according to the sequence
number. It then provides you with an encoded version of the resulting
number which you should then type in as a response to the original
challenge.
The challenging system then MD4 hashes your response and compares the
result with the last password you provided. If they match, then you
are authenticated.
MD4 is ever broken (it's supposed
to be a one-way hash) they could capture a response and generate the
next response by finding something that hashes to the same value.
Joe Christy Thu Mar 26 10:47:51 PST 1998