HardenedBSD/usr.bin/key
..
key.1
Makefile
README.WZV
skey.1
skey.c

One of the nice things of S/Key is that it still leaves you the option
to use regular UNIX passwords. In fact, the presence of S/Key support
is completely invisible for a user until she has set up a password with
the keyinit command. You can permit regular UNIX passwords for local
logins, while at the same time insisting on S/Key passwords for logins
from outside.

ORIGIN

These files are modified versions of the s/key files found on
thumper.bellcore.com at 21 oct 1993. They have been fixed to
run on top of SunOS 4.1.3 and Solaris 2.3.

Installation is described at the end of this file.

USAGE

Use the keyinit command to set up a new series of s/key passwords.

    wzv_6% keyinit
    Updating wietse:
    Old key: wz173500
    Reminder - Only use this method if you are direct connected.
    If you are using telnet or dial-in exit with no password and use keyinit -s.
    Enter secret password: 
    Again secret password: 

    ID wietse s/key is 99 wz173501
    BLAH BLA BLAH BLAH BLAH BLA

Be sure to make your secret password sufficiently long. Try using a
full sentence instead of just one single word.

You will have to do a "keyinit" on every system that you want to login
on using one-time passwords.

Whenever you log into an s/key protected system you will see
something like:

    login: wietse
    s/key 98 wz173501
    Password:

In this case you can either enter your regular UNIX password or
your one-time s/key password. For example, I open a local window 
to compute the password:

    local% key 98 wz173501
    Reminder - Do not use key while logged in via telnet or rlogin.
    Enter secret password: 
    BLAH BLA BLAH BLAH BLAH BLA

The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password.

If you have to type the one-time password in by hand, it is convenient
to have echo turned on so that you can correct typing errors. Just type
a newline at the "Password:" prompt:

    login: wietse
    s/key 98 wz173501
    Password: (turning echo on)
    Password:BLAH BLA BLAH BLAH BLAH BLA

The 98 in the challenge will be 97 the next time, and so on. You'll get
a warning when you are about to run out of s/key passwords, so that you
will have to run the keyinit command again.

Sometimes it is more practical to carry a piece of paper with a small
series of one-time passwords. You can generate the list with:

    % key -n 10 98 wz173501
    98: BLAH BLA BLAH BLAH BLAH BLA
    97: ... 
    96: ...

Be careful when printing material like this!

INSTALLATION

To install, do: make sunos4 (or whatever), then: make install.  

The UNIX password is always permitted with non-network logins.  By
default, UNIX passwords are always permitted (the Bellcore code by
default disallows UNIX passwords but I think that is too painful).  In
order to permit UNIX passwords only with logins from specific networks,
create a file /etc/skey.access. For example,

    # First word says if UNIX passwords are to be permitted or denied.
    # remainder of the rule is a networknumber and mask. A rule matches a
    # host if any of its addresses satisfies:
    # 
    #	network = (address & mask)
    # 
    #what	network		mask
    permit	131.155.210.0	255.255.255.0
    deny	0.0.0.0		0.0.0.0

This particular example will permit UNIX passwords with logins from any
host on network 131.155.210, but will insist on one-time passwords in
all other cases.