Annotation of src/usr.bin/skeyinit/skeyinit.1, Revision 1.24
1.24 ! millert 1: .\" $OpenBSD: skeyinit.1,v 1.23 2002/05/17 15:54:12 millert Exp $
1.1 deraadt 2: .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3: .\" @(#)skeyinit.1 1.1 10/28/93
4: .\"
1.11 millert 5: .Dd February 24, 1998
1.1 deraadt 6: .Dt SKEYINIT 1
1.8 michaels 7: .Os
1.1 deraadt 8: .Sh NAME
1.7 millert 9: .Nm skeyinit
1.14 aaron 10: .Nd change password or add user to S/Key authentication system
1.1 deraadt 11: .Sh SYNOPSIS
12: .Nm skeyinit
1.23 millert 13: .Op Fl r
1.1 deraadt 14: .Op Fl s
1.21 millert 15: .Op Fl x
16: .Op Fl C
17: .Op Fl D
18: .Op Fl E
19: .Op Fl a Ar auth-type
1.9 millert 20: .Op Fl n Ar count
1.15 millert 21: .Oo
22: .Fl md4 | Fl md5 | Fl sha1 |
23: .Fl rmd160
24: .Oc
1.1 deraadt 25: .Op Ar user
26: .Sh DESCRIPTION
1.16 aaron 27: .Nm
28: initializes the system so you can use S/Key one-time passwords to login.
29: The program will ask you to enter a secret pass phrase;
1.17 aaron 30: enter a phrase of several words in response.
31: After the S/Key database
1.7 millert 32: has been updated you can login using either your regular password
33: or using S/Key one-time passwords.
34: .Pp
1.16 aaron 35: .Nm
1.7 millert 36: requires you to type a secret password, so it should be used
1.16 aaron 37: only on a secure terminal.
38: For example, on the console of a
39: workstation or over an encrypted network session.
40: If you are using
41: .Nm
1.7 millert 42: while logged in over an untrusted network, follow the instructions
43: given below with the
44: .Fl s
45: option.
46: .Pp
47: Before initializing an S/Key entry, the user must authenticate
1.16 aaron 48: using either a standard password or an S/Key challenge.
49: When used over an untrusted network, a password of
1.7 millert 50: .Sq s/key
1.16 aaron 51: should be used.
52: The user will then be presented with the standard
1.7 millert 53: S/Key challenge and allowed to proceed if it is correct.
1.18 aaron 54: .Pp
55: The options are as follows:
1.19 aaron 56: .Bl -tag -width Ds
1.21 millert 57: .It Fl C
58: Converts from the old-style
59: .Pa /etc/skeykeys
60: database to a new-style database where user records are stored in the
61: .Pa /etc/skey
62: directory.
63: If an entry already exists in the new-style database it will not
64: be overwritten.
65: .It Fl D
66: Disables access to the S/Key database.
67: Only the superuser may use the
68: .Fl D
69: option.
70: .It Fl E
71: Enables access to the S/Key database.
72: Only the superuser may use the
73: .Fl E
74: option.
1.23 millert 75: .It Fl r
76: Removes the user's S/Key entry.
1.1 deraadt 77: .It Fl s
1.7 millert 78: Set secure mode where the user is expected to have used a secure
1.16 aaron 79: machine to generate the first one-time password.
80: Without the
1.7 millert 81: .Fl s
1.12 aaron 82: option the system will assume you are directly connected over secure
1.16 aaron 83: communications and prompt you for your secret password.
84: The
1.7 millert 85: .Fl s
86: option also allows one to set the seed and count for complete
1.16 aaron 87: control of the parameters.
88: You can use
89: .Ic skeyinit -s
1.7 millert 90: in combination with the
1.1 deraadt 91: .Nm skey
1.7 millert 92: command to set the seed and count if you do not like the defaults.
93: To do this run
1.16 aaron 94: .Nm
1.7 millert 95: in one window and put in your count and seed, then run
96: .Nm skey
1.13 aaron 97: in another window to generate the correct 6 English words for that
1.16 aaron 98: count and seed.
99: You can then "cut-and-paste" or type the words into the
100: .Nm
1.7 millert 101: window.
1.24 ! millert 102: When the
! 103: .Fl s
! 104: option is specified,
! 105: .Nm
! 106: will try to authenticate the user via S/Key, instead of the default listed in
! 107: .Pa /etc/login.conf .
! 108: If a user has no entry in the S/Key database, an alternate authentication
! 109: type must be specified via the
! 110: .Fl a
! 111: option.
! 112: Please note that entering a password or passphrase in plain text
! 113: defeats the purpose of using
! 114: .Dq secure
! 115: mode.
1.21 millert 116: .It Fl x
117: Displays pass phrase in hexadecimal instead of ASCII.
118: .It Fl a Ar auth-type
119: Specify an authentication type such as
1.24 ! millert 120: .Dq krb4 ,
! 121: .Dq krb5
1.21 millert 122: or
1.24 ! millert 123: .Dq passwd .
1.9 millert 124: .It Fl n Ar count
125: Start the
126: .Nm skey
127: sequence at
128: .Ar count
129: (default is 100).
1.5 millert 130: .It Fl md4
131: Selects MD4 as the hash algorithm.
132: .It Fl md5
133: Selects MD5 as the hash algorithm.
134: .It Fl sha1
1.6 millert 135: Selects SHA (NIST Secure Hash Algorithm Revision 1) as the hash algorithm.
1.10 millert 136: .It Fl rmd160
137: Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm.
1.1 deraadt 138: .It Ar user
1.17 aaron 139: The username to be changed/added.
140: By default the current user is operated on.
1.18 aaron 141: .El
1.11 millert 142: .Sh ERRORS
1.20 millert 143: .Bl -tag -compact -width "skey disabled"
144: .It "skey disabled"
1.21 millert 145: .Pa /etc/skey
146: does not exist or is not accessable by the user.
147: The superuser may enable
148: .Nm
149: via the
150: .Fl E
151: flag.
1.20 millert 152: .El
1.1 deraadt 153: .Sh FILES
1.24 ! millert 154: .Bl -tag -width /etc/login.conf -compact
! 155: .It Pa /etc/login.conf
! 156: file containing authentication types
1.21 millert 157: .It Pa /etc/skey
158: directory containing user entries for S/Key
1.20 millert 159: .El
1.1 deraadt 160: .Sh SEE ALSO
1.22 millert 161: .Xr skey 1 ,
162: .Xr skeyinfo 1
1.1 deraadt 163: .Sh AUTHORS
1.21 millert 164: Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller