S/Key is a pretty nifty way of sending garbled passwords over cleartext means (telnet). It was sort of a pre-cursor to ssh. Although widely used still, it is somewhat obsolete...but then, one can never be too paranoid, right? :)
So, let me 'splain... | Sincerely, I don't understand this stuff. I've tried to read it. | Is anyone willing to tell me the advantages of s/key and whether I should | use it? | | This is what happens: | | <cut> | wash@ns2 ('tty') ~ 479 -> ssh newhost | otp-md5 105 ba3562 ext | S/Key Password: Ok, right here is where you would get the s/key encryption generator thingy out (in windows you can use winkey (google it)). There is a *nix command that will do it too, although, at this time, I can't remember the name of it. In short, what you would do, provided s/key has a valid passwd for the user you are trying to login as (its a separate file in /etc generally called opeykeys, iirc) when you get the prompt above you would copy the challenge: otp-md5 105 ba3562 ext (you really only need the 105 ba3562 but using the whole thing is harmless). Then you paste that into winkey or the unix equivalent (again, can't remember what that is called now...Im doing this all from memory and its been well over four years since I've used s/key). When you press enter you will br prompted for your password (again, not the system passwd necessarily but the one you set yourself up with for skey which is reflected in the /etc/opeykeys file). Then you will get a strange set of words that look similar to: HAPPY DESKS AUTOS MAILBOX PEOPLE BLAH That is what you then copy and paste back to skey at the "S/Key Password:" prompt and VOILA...assuming you typed your password correctly you should be granted access. There are a few neato things about skey. As the admin, when you set someone up with an skey account (and if skey is the only login method allowed for your machine) you set that person up with a certain number of allowed logins (in the case above, the number left for the allowed logins is 105). This number decrements upon every login attempt (iirc....might be every successful login but I am pretty sure its every attempt). When this number hits 0 that user is no longer allowed to attempt to login until you, as the admin, makes that number > 0. Openssh will use s/key as a backup method of logging in. Rightly so, if you think about it you do NOT want to send your passwords cleartext over telnet connections. You're begging for trouble if you do that. S/Key makes it so that you can send your password over telnet in cleartext without a cracker easily getting your password from the wire. S/Key, last I checked, by default uses MD5 hashes but I know it can use DSA and MD4 and perhaps other algorythms as well. What you are seeing below, if Im not mistaking, is openssh falling back to different login methods. Its probably going in this order: private key, s/key, then password. Hope this helps. If I got anything wrong please correct me. I really mean it that I haven't used S/Key in a loooong time. But I used to use it all the time on my servers until ssh became popular. - Jim | otp-md5 172 ba9156 ext | S/Key Password: | otp-md5 236 ba7561 ext | S/Key Password: | [EMAIL PROTECTED]'s password: | Last login: Fri Nov 1 18:31:46 2002 from 62.8.64.13 | Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 | The Regents of the University of California. All rights reserved. | FreeBSD 4.6.2-RELEASE (backup) #0: Fri Oct 11 19:02:55 GMT 2002 | | | Welcome to RBS backup server! | | | bash-2.05a$ | </cut> | | | | Thanks | | -Wash -- - Jim ------------------------------------------------------- -- - Jim To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message