Hitchhiker's Guide to Openbsd
Actually using S/Key to login
Download 1.27 Mb. Pdf ko'rish
|
obsd-faq49
- Bu sahifa navigatsiya:
- `skeyinfo -v`
|
Actually using S/Key to login.
By now your skey has been initialized. You're ready to login. Here is an example session using S/Key to login. To perform an S/Key login, you append :skey to your login name. $ ftp localhost Connected to localhost. 220 oshibana.shin.ms FTP server (Version 6.5/OpenBSD) ready. Name (localhost:ericj): ericj:skey 331- otp-md5 96 oshi45820 331 S/Key Password: 230- OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011 230- 230- Welcome to OpenBSD: The proactively secure Unix-like operating system. 230- 230- Please use the sendbug(1) utility to report bugs in the system. 230- Before reporting a bug, please try to reproduce it with the latest 230- version of the code. With bug reports, please try to ensure that 230- enough information to reproduce the problem is enclosed, and if a 230- known fix for it exists, include that as well. 230- 230 User ericj logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. http://www.openbsd.org/faq/faq8.html (10 of 20)9/4/2011 10:02:10 AM 8 - General Questions Note that I appended ":skey" to my username. This tells ftpd that I want to authenticate using S/Key. Some of you might have noticed that my sequence number has changed to otp-md5 96 oshi45820. This is because by now I have used S/Key to login several times. But how do you get your one-time password? Well, to compute the one-time password, you'll need to know what sequence number you're using and your key. As you're probably thinking, how can you remember which sequence number you're on? When you are logging in, the login process prints a line containing the needed information, which you can use to generate a one-time password on the spot using another trusted computer accesses by a secure channel, by copy-pasting the line into a command shell: otp-md5 96 oshi45820 After typing your passphrase, your one-time password will be printed, which you can then copy-paste to the S/Key Password prompt to log in. Not only is otp-md5 a description of the hash used, it is also an alternate name for the skey(1) command. If you already are logged in and want to generate a one-time password for the next login, use skeyinfo (1) , it will tell you what to use for the next login. For example here, I need to generate another one-time password for a login that I might have to make in the future. (remember I'm doing this from a secure channel). $ skeyinfo 95 oshi45820 An even better way is to use skeyinfo -v, which outputs a command suitable to be run in the shell. For instance: $ skeyinfo -v otp-md5 95 oshi45820 So, the simplest way to generate the next S/Key password is just: $ `skeyinfo -v` Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: NOOK CHUB HOYT SAC DOLE FUME Note the backticks in the above example. http://www.openbsd.org/faq/faq8.html (11 of 20)9/4/2011 10:02:10 AM 8 - General Questions I'm sure many of you won't always have a secure connection or a trusted local computer to create these passwords, and creating them over an insecure connection isn't feasible, so how can you create multiple passwords at one time? You can supply skey(1) with a number of how many passwords you want created. This can then be printed out and taken with you wherever you go. $ otp-md5 -n 5 95 oshi45820 Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: 91: SHIM SET LEST HANS SMUG BOOT 92: SUE ARTY YAW SEED KURD BAND 93: JOEY SOOT PHI KYLE CURT REEK 94: WIRE BOGY MESS JUDE RUNT ADD 95: NOOK CHUB HOYT SAC DOLE FUME Notice here though, that the bottom password should be the first used, because we are counting down from 100. Download 1.27 Mb. Do'stlaringiz bilan baham: 
|