NAME
skey — 
respond to an OTP
  challenge
SYNOPSIS
  
    
    
  
  
    | skey | [-n
      count] [-p
      password]
      [-t hash]
      [-x]
      sequence# [/]
      key | 
DESCRIPTION
S/Key is a One Time Password (OTP) authentication system. It
  is intended to be used when the communication channel between a user and host
  is not secure (e.g. not encrypted or hardwired). Since each password is used
  only once, even if it is "seen" by a hostile third party, it cannot
  be used again to gain access to the host.
S/Key uses 64 bits of information, transformed by the MD4
  algorithm into 6 English words. The user supplies the words to authenticate
  himself to programs like 
login(1)
  or 
ftpd(8).
Example use of the 
S/Key program 
skey:
% skey  99  th91334 
Enter password: <your secret password is entered here> 
OMEN US HORN OMIT BACK AHOY 
%
 
The string that is given back by 
skey can then be used to log
  into a system.
The programs that are part of the 
S/Key system are:
  -  
-  
- skeyinit(1)
- used to set up your S/Key.
-  
-  
- skey
- used to get the one time password(s).
-  
-  
- skeyinfo(1)
- used to initialize the S/Key database for
      the specified user. It also tells the user what the next challenge will
      be.
-  
-  
- skeyaudit(1)
- used to inform users that they will soon have to rerun
      skeyinit(1).
When you run 
skeyinit(1) you
  inform the system of your secret password. Running 
skey then
  generates the one-time password(s), after requiring your secret password. If
  however, you misspell your secret password that you have given to
  
skeyinit(1) while running
  
skey you will get a list of passwords that will not work,
  and no indication about the problem.
Password sequence numbers count backward from 99. You can enter the passwords
  using small letters, even though 
skey prints them
  capitalized.
The 
-n count argument asks for
  
count password sequences to be printed out ending with
  the requested sequence number.
The hash algorithm is selected using the 
-t
  hash option, possible choices here are md4, md5 or sha1.
The 
-p password allows the user to
  specify the 
S/Key password on the command line.
To output the S/Key list in hexadecimal instead of words, use the
  
-x option.
EXAMPLES
Initialize generation of one time passwords:
host% skeyinit 
Password: <normal login password> 
[Adding username] 
Enter secret password: <new secret password> 
Again secret password: <new secret password again> 
ID username s/key is 99 host12345 
Next login password: SOME SIX WORDS THAT WERE COMPUTED
 
Produce a list of one time passwords to take with to a conference:
host% skey -n 3 99 host12345 
Enter secret password: <secret password as used with skeyinit> 
97: NOSE FOOT RUSH FEAR GREY JUST 
98: YAWN LEO DEED BIND WACK BRAE 
99: SOME SIX WORDS THAT WERE COMPUTED
 
Logging in to a host where 
skey is installed:
host% telnet host 
 
login: <username> 
Password [s/key 97 host12345]:
 
Note that the user can use either his/her 
S/Key password at
  the prompt but also the normal one unless the 
-s flag is
  given to 
login(1).
SEE ALSO
login(1),
  
skeyaudit(1),
  
skeyinfo(1),
  
skeyinit(1),
  
ftpd(8)
RFC 2289
TRADEMARKS AND PATENTS
S/Key is a trademark of Bellcore.
AUTHORS
Phil Karn
Neil M. Haller
John S. Walden
Scott Chasin