[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: skey and ssh

> If anyone is using skey, I'd be interested in hearing a solution to
> Claus's problem...
> Claus, I followed your steps exactly. When I get to the login (normal,
> not ssh) I get:
> 	login: jmc:skey
> 	otp-md5 <sequence> <key>
> 	S/Key Password: <enter's OTP>
> 	Login incorrect
> It refuses to accept my OTP :(

Hmmm, I followed Claus' steps exactly and it works.
Both, using login and ssh.

> Stuff the man pages should say:
> 	* What is the relationship between skey(1) and skeyinit(1)?
> 	  I appear to be able to generate OTP's with both. Why? When
> 	  should I use them?

With skeyinit(1) you initialize skey database for a user on the machina
that he will be logging on.

Using skey(1) user can create list of passwords (or just single, next otp)
on any machine, say his friend's laptop, providing that he knows <sequence#>,
<key> and remembers his passphrase.
He doesn't have to print that list and take it with him wherever he goes.

Once he uses last password (numbered 0), he has to regenerate database
using skeyinit(1).

> 	* From skey(1):
> 	  "Password sequence numbers count backwards."
> 	  Why? What difference does it make to the user?

Don't know.
Historical reasons ?
But that makes sense -- password numbered as 0th is always your last password.
Regardless of how many otp-s you have generated.

Imagine it working backwards.
Hey, how many passwords left ?
Or, better ask, yow many passwords have I generated (perhaps long time ago) ?
Was it 100, or 50, or just 10 ?

When counting 99,98, ..., 1,0,  you don't care.
You know that you've just used password numbered, say, 5, so now you have only
five (yes, five: 4,3,2,1,0) passwords left.

> 	* What's the default algorithm (looks like md5)?


> 	* When I use skeyinit it tells me that my sequence# is 99. But
> 	  when I try to login it presents me with 98. Is this the
> 	  sequence number counting backwards? Why? Shouldn't it be 99
> 	  first?

Last password (99th in your case) is inactive by default.
That comes from the way S/Key was designed, I think.


Visit your host, monkey.org