Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: S/key on university, college desktops
- From: Wei Wang
- Date: Tue Jun 09 11:18:34 1998
Mark Richardson Knox wrote:
>
> Since I started as an Internet Consultant for Merit, I've travelled,
> representing Merit, to various affiliate and member sites that are
> institutions (colleges, universities) that have some sort of "public"
> access to the Internet on PC's in their libraries, labs and other places
> where a "public" terminal might be.
>
> I say public in quotes because clearly, what is public access has narrowed
> greatly at most of these sites. Access has narrowed largely to someone who
> is a member of that institution. The access validation is done by some
> authentication scheme and usually the desktop is locked tight--no
> downloads, in some cases no A: drive access, etc. The web is available
> and, in some cases, so is telnet.
>
> May I put a vote in for a standard utility that campus system
> administrators might add to the repertoire of software available on such
> locked down desktops?--an s/key calculator.
>
> S/key is a one-time password scheme that ensures that the password that I
> supply to a remote login session is not the same password twice. This is
> done through a process wherein the
>
> 1) telnet command is issued to the host running s/key,
> 2) the response is the login prompt,
> 3) the id is given and the answer is a "challenge".
> 4) The challenge is then given to the s/key calculator (a small program
> that runs on the desktop) along with a password
> 5) and the one time password that is generated is copied into the password
> query from the host (the s/key generated passwords are 6 three and four
> character words separated by spaces).
>
> Merit uses the s/key scheme to ensure that our accounts' passwords aren't
> passed over the Internet in the clear. Visting a remote site like Michigan
> State University, for example, means being a guest at a MicroLab and using
> a PC or Mac to access my home (Merit) email server. I usually can telnet
> to the home.merit.edu host where my mail resides. In the past, I would
> have already downloaded the s/key calculator appropriate for the system I'm
> using (UNIX, Windows/DOS, Mac) and it would be available to me on the
> desktop (or as an executable UNIX file). I would then use the calculator
> to compute the password response and successfully login into
> home.merit.edu, check my mail, use the Merit databases, etc.
>
> The problem now is that there's no way to get the s/key calculator, which
> is on an anonymous FTP server at Merit, to download onto these newly secure
> desktops. To the best of my knwoledge, there is no hand held calculator I
> can buy to perform the response to the s/key challenge. There is at least
> one web page which has a Java s/key calculator running which I have used.
> But our system adminsitrators then asked me to reinit my key for security
> concerns. So if I have to reinit s/key everytime I use a web based s/key
> calculator, the purpose of the s/key scheme is lost.
>
> I could use a laptop and dial in to MichNet.
>
> Thoughts? Flames?
If you make the effort to install s/key, why not ssh? Which gives you
much better security and privacy than s/key. With s/key, all your
traffic are still in the clear. Although there is a problem: there is
no free version of ssh for DOS/Windows, or MAC. :-(
Regards,
--
Wei Wang weiwang@merit.edu
Merit Network, Inc. http://www.merit.edu/~weiwang/
[Tel] 734-764-2874 [Fax] 734-647-3745
|
