Berkeley CSUA MOTD:Entry 37839
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/09 [General] UID:1000 Activity:popular
7/9     

2005/5/25-7/12 [Computer/SW/Unix] UID:37839 Activity:nil
5/25    Various insecure services have been disabled, including FTP, per
        departmental policy and/or request. You should be using sftp. =)
        \_ This should be in officia
        \_ When sftp shows this:
           s/key 98 so37989
           Password:
           What am I supposed to type?
           \_ You get an s/key program, enter it, enter your soda password,
              and paste the result into the window, as per
              http://www.csua.berkeley.edu/skey-howto.html -John
              \_ no offense, this is about the most confusing document ever
        \_ You should also be getting a life, but the department does not yet
           enforce that one... - jvarga
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/09 [General] UID:1000 Activity:popular
7/9     

You may also be interested in these entries...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/30-11/7 [Computer/SW/Apps, Computer/SW/Unix] UID:54470 Activity:nil
8/30    Is wall just dead? The wallall command dies for me, muttering
        something about /var/wall/ttys not existing.
        \_ its seen a great drop in usage, though it seems mostly functional.
            -ERic
        \_ Couldn't open wall log!: Bad file descriptor
           Could not open wall subscription directory /var/wall/ttys: No such file or directory
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/3/29-6/4 [Computer/HW/Memory, Computer/HW/CPU, Computer/HW/Drives] UID:54351 Activity:nil
3/29    A friend wants a PC (no mac). She doesn't want Dell. Is there a
        good place that can custom build for you (SSD, large RAM, cheap video
        card--no game)?
        \_ As a side note: back in my Cal days more than two decades ago when
           having a 387SX made me the only person with floating-point hardware,
           most machines were custom built.
	...
2012/1/27-3/26 [Computer/SW/Unix] UID:54299 Activity:nil
1/27    Interesting list of useful unix tools. Shout out to
        cowsay even!
        http://www.stumbleupon.com/su/3428AB/kkovacs.eu/cool-but-obscure-unix-tools
        \_ This is nice.  Thanks.
	...
2011/11/20-2012/2/6 [Computer/Companies/Apple, Computer/SW/Unix] UID:54237 Activity:nil
11/20   Are there tools that can justify a chunk of plain ASCII text by
        replacing words with words of similar meaning and inserting/removing
        commas into the text?  I received a 40-line plain text mail where
        all the lines are justified on left and right.  Every word and comma
        is followed by only one space, and every period is followed by two
        spaces.  The guy is my kid's karate instructor which I don't think is
	...
Cache (5653 bytes)
www.csua.berkeley.edu/skey-howto.html
S/Key is a one-time password scheme based on a one-way hash function (in our version, this is MD4 for compatibility; S/Key is a registered trademark of Bell Communications Research, Inc. There are three different sorts of passwords which we will talk about in the discussion below. The first is your usual UNIX-style or Kerberos password; The second sort is the one-time password which is generated by the S/Key key program and accepted by the keyinit program and the login prompt; The final sort of password is the secret password which you give to the key program (and sometimes the keyinit program) which it uses to generate one-time passwords; The secret password does not necessarily have anything to do with your UNIX password (while they can be the same, this is not recommended). While UNIX passwords are limited to eight characters in length, your S/Key secret password can be as long as you like; In general, the S/Key system operates completely independently of the UNIX password system. There are in addition two other sorts of data involved in the S/Key system; The login and su programs keep track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. Because a one-way hash function is used, it is not possible to generate future one-time passwords having overheard one which was successfully used; The key program accepts an iteration count, a seed, and a secret password, and generates a one-time password. The keyinit program is used to initialized S/Key, and to change passwords, iteration counts, or seeds; The keyinfo program examines the /etc/skeykeys file and prints out the invoking user's current iteration count and seed. Finally, the login and su programs contain the necessary logic to accept S/Key one-time passwords for authentication. The login program is also capable of disallowing the use of UNIX passwords on connections coming from specified addresses. There are four different sorts of operations we will cover. The first is using the keyinit program over a secure connection to set up S/Key for the first time, or to change your password or seed. The second operation is using the keyinit program over an insecure connection, in conjunction with the key program over a secure connection, to do the same. The third is using the key program to log in over an insecure connection. The fourth is using the key program to generate a number of keys which can be written down or printed out to carry with you when going to some location without secure connections to anywhere (like at a conference). If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: ) I typed my pass phrase here Again secret password: ) I typed it again ID wollman s/key is 99 ha73896 ) discussed below SAG HAS FONT GOUT FATE BOOM ) There is a lot of information here. At theEnter secret password: prompt, you should enter some password or phrase (I use phrases of minimum seven words) which will be needed to generate login keys. The line starting ID' gives the parameters of your particular S/Key instance: your login name, the iteration count, and seed. When logging in with S/Key, the system will remember these parameters and present them back to you so you do not have to remember them. The last line gives the particular one-time password which corresponds to those parameters and your secret password; Insecure connection initialization To initialize S/Key or change your password or seed over an insecure connection, you will need to already have a secure connection to some place where you can run the key program; You will also need to make up an iteration count (100 is probably a good value), and you may make up your own seed or use a randomly-generated one. Over on the insecure connection (to the machine you are initializing), use the keyinit -s command: % keyinit -s Updating wollman: Old key: kh94741 Reminder you need the 6 English words from the skey command. Enter sequence count from 1 to 9999: 100 ) I typed this Enter new key default kh94742 : s/key 100 kh94742 To accept the default seed (which the keyinit program confusingly calls a key), press return. Then move over to your secure connection or S/Key desk accessory, and give it the same parameters: % key 100 kh94742 Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password: ) I typed my secret password HULL NAY YANG TREE TOUT VETO Now switch back over to the insecure connection, and copy the one-time password generated by key over to the keyinit program: s/key access password: HULL NAY YANG TREE TOUT VETO ID wollman s/key is 100 kh94742 HULL NAY YANG TREE TOUT VETO The rest of the description from the previous section applies here as well. You will also find a useful feature (not shown here): if you press return at the password prompt, the login program will turn echo on, so you can see what you are typing. This can be extremely useful if you are attempting to type in an S/Key by hand, such as from a printout. If this machine were configured to disallow UNIX passwords over a connection from my machine, the prompt would have also included the annotation (s/key required), indicating that only S/Key one-time passwords will be accepted. Generating a single one-time password Now, to generate the one-time password needed to answer this login prompt, we use a trusted machine and the key program. Thus: % key 92 hi52030 ) pasted from previous section Reminder - Do not use this program while logged in via telnet or rlogin. This is the easiest mechanism if you have a trusted machine.