Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > One-Time Password feature in Serv-U (OTP, MD4, MD5)

One-Time Password feature in Serv-U (OTP, MD4, MD5)

Table of contents

Updated April 20, 2017

Overview

This article provides information on the use of a one-time password feature in Serv-U.

Environment

All Serv-U versions

Detail

According to the rules of the FTP protocol, when users connect to an FTP server, their passwords are sent through a network in plain text. Anyone with a packet sniffer can intercept data.

 

SSH File Transfer Protocol (SFTP), Secure File Transfer Protocol (FTPS), and Secure Hypertext Transfer Protocol (HTTPS) listeners in Serv-U prevents password detection. 

 

The use of a One-Time Password (OTP) is another method that prevents password disclosure. Instead of using the same password at every log in event, the users are sent on the Web a one-way encrypted version of the password called a  hash.

 

A  hash is a complex combination of values that are never used twice. It is impossible to determine the original password based on a hash. It cannot be reused even if a third-party intercepts and manages to retrieve a password.

 

Serv-U supports S/KEY (MD4 and MD5), a one-time password system developed for authentication.

To enable S/KEY:

  1. Go to User Properties > User Information.
  2. Select OTP S/KEY MD4 or OTP S/KEY MD5.

Note: In Serv-U 6.x, S/KEY is enabled from the General tab of the User Properties window.

 

When storing passwords in an encrypted form, new passwords must be entered since FTP Serv-U needs to know the password when using S/KEY and the encrypted password stored in the User Setup cannot be decrypted.

 

To use S/KEY, FTP Client needs to support it (FTP Voyager has integrated support for S/KEY www.ftpvoyager.com), or needs to allow interception of the user response and manual password entry at each log in event (the Command Line FTP Client allows this).

 

An S/KEY calculator is required. This program helps calculate a response to FTP Serv-U challenges. It is named WinKey. The S/KEY is calculator can be found in the Rhinosoft website.
 

 

 

You must to post a comment.
Last modified
04:17, 20 Apr 2017

Tags

Classifications

Public