One-time Password Processing (OTP, MD4, MD5) - KB Article #1068Related Articles --
According to the rules of the FTP protocol, when users connect to an FTP server their passwords are sent via the network in clear text. Anyone with a packet sniffer at the right place can see them. SFTP, FTPS, and the new HTTPS listener in Serv-U can prevent password sniffing attacks - another method of preventing password disclosure is the use of OTP. OTP, or One Time Password, is one of the most common ways of mitigating this threat - rather than using the same password at every login event, it sends a one-way encrypted version of the password called "hash" over the net. Because of the complexity of the hash as well as the fact that the same hash value is never used twice, it is impossible to determine the original password based on a hash. Even if someone intercepts it and manages to retrieve the password used, it cannot be re-used to gain illegitimate access because the same password will never be used gain (hence the term One Time Password).
Serv-U supports a popular form of OTP called S/KEY, which in turn has two variants: MD4 and MD5. These both use similar hash functions and both are supported in FTP Serv-U. S/KEY can be enabled by selecting either "OTP S/KEY MD4" or "OTP S/KEY MD5" from the User Properties | User Information window. When storing passwords in encrypted form, new passwords must be entered since FTP Serv-U needs to know the password when using S/KEY and the encrypted password stored in the user setup cannot be decrypted.
To use S/KEY the FTP client needs to support it (FTP Voyager has integrated support for S/KEY www.ftpvoyager.com), or needs to allow interception of the USER response and manual password entry at each log in (the command line FTP client will allow this). In the latter case the S/KEY "calculator" is required. This program helps calculate a response to FTP Serv-U's challenge. It is named "WinKey" and can be found at ftp://oconomowoc.rhinosoft.com/pub/rhinosoft/WinKey
NOTE 1: In Serv-U 6.x, S/KEY is enabled from the General tab of the user properties window.