Updated April 20, 2017
This article provides information on the use of a one-time password feature in Serv-U.
All Serv-U versions
According to the rules of the FTP protocol, when users connect to an FTP server, their passwords are sent through a network in plain text. Anyone with a packet sniffer can intercept data.
SSH File Transfer Protocol (SFTP), Secure File Transfer Protocol (FTPS), and Secure Hypertext Transfer Protocol (HTTPS) listeners in Serv-U prevents password detection.
The use of a One-Time Password (OTP) is another method that prevents password disclosure. Instead of using the same password at every log in event, the users are sent on the Web a one-way encrypted version of the password called a
hash is a complex combination of values that are never used twice. It is impossible to determine the original password based on a
hash. It cannot be reused even if a third-party intercepts and manages to retrieve a password.
Serv-U supports S/KEY (MD4 and MD5), a one-time password system developed for authentication.
To enable S/KEY:
Note: In Serv-U 6.x, S/KEY is enabled from the General tab of the User Properties window.
When storing passwords in an encrypted form, new passwords must be entered since FTP Serv-U needs to know the password when using S/KEY and the encrypted password stored in the User Setup cannot be decrypted.
To use S/KEY, FTP Client needs to support it (FTP Voyager has integrated support for S/KEY www.ftpvoyager.com), or needs to allow interception of the user response and manual password entry at each log in event (the Command Line FTP Client allows this).
An S/KEY calculator is required. This program helps calculate a response to FTP Serv-U challenges. It is named
WinKey. The S/KEY is calculator can be found in the Rhinosoft website.