Running out of S/Keys? When a user has less than 10 S/Key passwords left, FireWall-1 will prompt the user to create a new S/Key chain. The user will need to specify a different "seed" value (the default seed is the username), a new chain length to FireWall-1, and the last "password" in the chain.
On a Unix machine, I would generate the new key chain as follows (assuming I want to use "seed" as my new seed value and 1000 as my chain length): ~ $
key 1000 seed Reminder - Do not use this program while logged in via telnet or rlogin. Enter secret password:
[Secret Key] JOG WAKE SUN MEND ILL COWLAfter I've done this, I can input this information into my telnet/client auth session as follows:
Check Point FireWall-1 authenticated Telnet server running on kenny User:
phoneboy SKEY CHALLENGE: 9 phoneboy. Enter SKEY string:
MUG EMMA PI PRY HOYT MANN User phoneboy authenticated by S/Key system You have only 8 one-time passwords left. A new S/Key chain should be created. If you have a new chain, you can enter it now by typing the chain length and the last password in the chain. Enter New Chain (y/n) ?
y Enter S/Key chain length:
1000 Enter the last string of the new chain:
JOG WAKE SUN MEND ILL COWL New S/Key chain accepted Connected to kyleNote: I entered the password I generated above when it asked me for the "last string". It is only used to initialize the S/Key chain. Future passwords will decrement from there. Also,
FireWall-1 will always prompt you to use the "old" seed value and not the new one. You will need to remember to use the new seed value when using an S/Key generator or generating your own list.
--
PhoneBoy - 30 Dec 2003
FAQForm FAQs.Class:
OperatingSystem?: FAQs.Version: