Gentoo Wiki


Wikipedia has an article on:



S/KEYs are one time use passwords. You can use them if you need to provide passwords where someone may be monitoring your keystrokes. S/keys are generated randomly, usually around 100 are generated at one time, with a passphrase as a key. (This passphrase is independent of your main system password.)

Warning: There is no security benifit if you enter your system password or the S/KEY passphrase during a session that is monitored by bad guys.


First emerge the 'skey' package

emerge -av sys-auth/skey

And set the skey USE flag in /etc/make.conf

Then re-emerge any packages that support skeys.

emerge -avN world

Now generate the skeys for the users you wish to use with it:

As root:

skeyinit USER

As a regular user:


And follow the instructions.


Currently Gentoo does not have a PAM module* for Skey so you will need to depend on individual programs that have been modified to take Skey into account. SSH does this automatically.

One notable application is sudo. It can only use PAM or Skey but not both as SSH does. One way of working around this is to emerge sudo with -pam +skey and then rename /usr/bin/sudo to /usr/bin/sudo-skey Then emerge it again with pam defined. Note that you will need to remember to do this each time a new version of sudo is released. There exists a pam module for skey called "sys-auth/pam_skey"


I got it working with SSH so I thought someone might like an example. Hope you don't mind. Make sure you read the above documentation!

File: /etc/ssh/sshd_config
Port 22
Protocol 2
AllowUsers jdoe
Ciphers blowfish-cbc,aes256-cbc,aes256-ctr
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
RhostsRSAAuthentication no
RSAAuthentication yes
UsePrivilegeSeparation yes
LoginGraceTime 30
MaxStartups 5
MaxAuthTries 6
HostKey /etc/ssh/ssh_host_dsa_key
ChallengeResponseAuthentication yes

Note: I had to disable PAM and enable ChallengeResponseAuthentication. Restart ssh and then do the following in two seperate shells.
(actually you dont have to disable PAM, just press enter for the first login password prompt, or rearrange pam modules)

Code: Shell 1
$ ssh localhost
otp-md5 95 lapt77187
S/Key Password: 
Code: Shell 2
$ skey 95 lapt77187
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <password you set with skeyinit>
Code: Shell 1
Last login: Tue Dec  6 15:10:58 2005 from localhost

That's it. You are loged in via s/key and if the password is wrong, it kicks you out and doesn't offer another type of authentication!

Generating S/Key One-time-passwords

There are two possibilietes: Pregenerate a list of passwords and carry it with you, or generate them when needed. However, you should never generate a one-time password on a machine you can't absolutely trust, as this would reveal your password. There is an easy and more secure way to generate one-time passwords on the go, as long as you own a mobile phone supporting Java: jOTP, a java One-Time-Password generator.

See also

Retrieved from ""

Last modified: Sun, 07 Sep 2008 08:08:00 +0000 Hits: 10,594