Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
S/key on university, college desktops
- From: Mark Richardson Knox
- Date: Mon Jun 08 17:43:45 1998
Since I started as an Internet Consultant for Merit, I've travelled,
representing Merit, to various affiliate and member sites that are
institutions (colleges, universities) that have some sort of "public"
access to the Internet on PC's in their libraries, labs and other places
where a "public" terminal might be.
I say public in quotes because clearly, what is public access has narrowed
greatly at most of these sites. Access has narrowed largely to someone who
is a member of that institution. The access validation is done by some
authentication scheme and usually the desktop is locked tight--no
downloads, in some cases no A: drive access, etc. The web is available
and, in some cases, so is telnet.
May I put a vote in for a standard utility that campus system
administrators might add to the repertoire of software available on such
locked down desktops?--an s/key calculator.
S/key is a one-time password scheme that ensures that the password that I
supply to a remote login session is not the same password twice. This is
done through a process wherein the
1) telnet command is issued to the host running s/key,
2) the response is the login prompt,
3) the id is given and the answer is a "challenge".
4) The challenge is then given to the s/key calculator (a small program
that runs on the desktop) along with a password
5) and the one time password that is generated is copied into the password
query from the host (the s/key generated passwords are 6 three and four
character words separated by spaces).
Merit uses the s/key scheme to ensure that our accounts' passwords aren't
passed over the Internet in the clear. Visting a remote site like Michigan
State University, for example, means being a guest at a MicroLab and using
a PC or Mac to access my home (Merit) email server. I usually can telnet
to the home.merit.edu host where my mail resides. In the past, I would
have already downloaded the s/key calculator appropriate for the system I'm
using (UNIX, Windows/DOS, Mac) and it would be available to me on the
desktop (or as an executable UNIX file). I would then use the calculator
to compute the password response and successfully login into
home.merit.edu, check my mail, use the Merit databases, etc.
The problem now is that there's no way to get the s/key calculator, which
is on an anonymous FTP server at Merit, to download onto these newly secure
desktops. To the best of my knwoledge, there is no hand held calculator I
can buy to perform the response to the s/key challenge. There is at least
one web page which has a Java s/key calculator running which I have used.
But our system adminsitrators then asked me to reinit my key for security
concerns. So if I have to reinit s/key everytime I use a web based s/key
calculator, the purpose of the s/key scheme is lost.
I could use a laptop and dial in to MichNet.
Thoughts? Flames?
----------------------------------------------------------------------
Mark Richardson Knox | knoxm@merit.edu
Merit Network, Inc. | http://www.merit.edu/
4251 Plymouth Road Suite C | Ann Arbor MI 48105-2785
734.764.9430 main desk | 734.936.2120 my desk | 734.647.3185 fax
|
