Annotation of src/usr.bin/skeyinit/skeyinit.1, Revision 1.29
1.29 ! jmc 1: .\" $OpenBSD: skeyinit.1,v 1.28 2004/06/06 11:23:25 otto Exp $
1.1 deraadt 2: .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3: .\" @(#)skeyinit.1 1.1 10/28/93
4: .\"
1.11 millert 5: .Dd February 24, 1998
1.1 deraadt 6: .Dt SKEYINIT 1
1.8 michaels 7: .Os
1.1 deraadt 8: .Sh NAME
1.7 millert 9: .Nm skeyinit
1.14 aaron 10: .Nd change password or add user to S/Key authentication system
1.1 deraadt 11: .Sh SYNOPSIS
12: .Nm skeyinit
1.23 millert 13: .Op Fl r
1.1 deraadt 14: .Op Fl s
1.21 millert 15: .Op Fl x
16: .Op Fl C
17: .Op Fl D
18: .Op Fl E
19: .Op Fl a Ar auth-type
1.9 millert 20: .Op Fl n Ar count
1.15 millert 21: .Oo
22: .Fl md4 | Fl md5 | Fl sha1 |
23: .Fl rmd160
24: .Oc
1.1 deraadt 25: .Op Ar user
26: .Sh DESCRIPTION
1.16 aaron 27: .Nm
1.29 ! jmc 28: initializes the system so you can use S/Key one-time passwords to log in.
1.27 otto 29: The program will ask you to enter a secret passphrase which is used by
30: .Xr skey 1
31: to generate one-time passwords;
1.17 aaron 32: enter a phrase of several words in response.
33: After the S/Key database
1.29 ! jmc 34: has been updated you can log in using either your regular password
1.7 millert 35: or using S/Key one-time passwords.
36: .Pp
1.16 aaron 37: .Nm
1.27 otto 38: requires you to type a secret passphrase, so it should be used
1.16 aaron 39: only on a secure terminal.
40: For example, on the console of a
41: workstation or over an encrypted network session.
42: If you are using
43: .Nm
1.7 millert 44: while logged in over an untrusted network, follow the instructions
45: given below with the
46: .Fl s
47: option.
48: .Pp
49: Before initializing an S/Key entry, the user must authenticate
1.16 aaron 50: using either a standard password or an S/Key challenge.
51: When used over an untrusted network, a password of
1.7 millert 52: .Sq s/key
1.16 aaron 53: should be used.
54: The user will then be presented with the standard
1.7 millert 55: S/Key challenge and allowed to proceed if it is correct.
1.18 aaron 56: .Pp
1.29 ! jmc 57: .Nm
1.28 otto 58: prints a sequence number and a one-time password.
59: This password can not be used to log in; one-time passwords should be
60: generated using
61: .Xr skey 1
62: first.
63: The one-time password printed by
64: .Nm
65: can be used to verify if the right passphrase has been given to
66: .Xr skey 1 .
67: The one-time password with the corresponding sequence number printed by
68: .Xr skey 1
69: should match the one printed by
70: .Nm .
71: .Pp
1.18 aaron 72: The options are as follows:
1.19 aaron 73: .Bl -tag -width Ds
1.21 millert 74: .It Fl C
75: Converts from the old-style
76: .Pa /etc/skeykeys
77: database to a new-style database where user records are stored in the
78: .Pa /etc/skey
79: directory.
80: If an entry already exists in the new-style database it will not
81: be overwritten.
82: .It Fl D
83: Disables access to the S/Key database.
84: Only the superuser may use the
85: .Fl D
86: option.
87: .It Fl E
88: Enables access to the S/Key database.
89: Only the superuser may use the
90: .Fl E
91: option.
1.23 millert 92: .It Fl r
93: Removes the user's S/Key entry.
1.1 deraadt 94: .It Fl s
1.7 millert 95: Set secure mode where the user is expected to have used a secure
1.16 aaron 96: machine to generate the first one-time password.
97: Without the
1.7 millert 98: .Fl s
1.12 aaron 99: option the system will assume you are directly connected over secure
1.27 otto 100: communications and prompt you for your secret passphrase.
1.16 aaron 101: The
1.7 millert 102: .Fl s
103: option also allows one to set the seed and count for complete
1.16 aaron 104: control of the parameters.
105: You can use
106: .Ic skeyinit -s
1.7 millert 107: in combination with the
1.1 deraadt 108: .Nm skey
1.7 millert 109: command to set the seed and count if you do not like the defaults.
110: To do this run
1.16 aaron 111: .Nm
1.7 millert 112: in one window and put in your count and seed, then run
113: .Nm skey
1.13 aaron 114: in another window to generate the correct 6 English words for that
1.16 aaron 115: count and seed.
116: You can then "cut-and-paste" or type the words into the
117: .Nm
1.7 millert 118: window.
1.24 millert 119: When the
120: .Fl s
121: option is specified,
122: .Nm
123: will try to authenticate the user via S/Key, instead of the default listed in
124: .Pa /etc/login.conf .
125: If a user has no entry in the S/Key database, an alternate authentication
126: type must be specified via the
127: .Fl a
128: option.
129: Please note that entering a password or passphrase in plain text
130: defeats the purpose of using
131: .Dq secure
132: mode.
1.21 millert 133: .It Fl x
1.27 otto 134: Displays one-time password in hexadecimal instead of ASCII.
1.21 millert 135: .It Fl a Ar auth-type
136: Specify an authentication type such as
1.24 millert 137: .Dq krb5
1.21 millert 138: or
1.24 millert 139: .Dq passwd .
1.9 millert 140: .It Fl n Ar count
141: Start the
142: .Nm skey
143: sequence at
144: .Ar count
145: (default is 100).
1.5 millert 146: .It Fl md4
147: Selects MD4 as the hash algorithm.
148: .It Fl md5
149: Selects MD5 as the hash algorithm.
150: .It Fl sha1
1.6 millert 151: Selects SHA (NIST Secure Hash Algorithm Revision 1) as the hash algorithm.
1.10 millert 152: .It Fl rmd160
153: Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm.
1.1 deraadt 154: .It Ar user
1.17 aaron 155: The username to be changed/added.
156: By default the current user is operated on.
1.18 aaron 157: .El
1.26 jmc 158: .Sh FILES
159: .Bl -tag -width /etc/login.conf -compact
160: .It Pa /etc/login.conf
161: file containing authentication types
162: .It Pa /etc/skey
163: directory containing user entries for S/Key
164: .El
1.28 otto 165: .Sh EXAMPLES
166: .Bd -literal
1.29 ! jmc 167: $ skeyinit
! 168: Reminder - Only use this method if you are directly connected
! 169: or have an encrypted channel. If you are using telnet,
! 170: hit return now and use skeyinit -s.
! 171: Password: <enter your regular password here>
! 172: [Updating user with md5]
! 173: Old seed: [md5] host12377
! 174: Enter new secret passphrase: <type a new passphrase here>
! 175: Again secret passphrase: <again>
! 176: ID user skey is otp-md5 100 host12378
! 177: Next login password: CITE BREW IDLE CAIN ROD DOME
! 178: $ otp-md5 -n 3 100 host12378
! 179: Reminder - Do not use this program while logged in via telnet.
! 180: Enter secret passphrase: <type your passphrase here>
! 181: 98: WERE TUG EDDY GEAR GILL TEE
! 182: 99: NEAR HA TILT FIN LONG SNOW
! 183: 100: CITE BREW IDLE CAIN ROD DOME
1.28 otto 184: .Ed
185: .Pp
186: The one-time password for the next login will have sequence number 99.
1.11 millert 187: .Sh ERRORS
1.20 millert 188: .Bl -tag -compact -width "skey disabled"
189: .It "skey disabled"
1.21 millert 190: .Pa /etc/skey
1.25 cloder 191: does not exist or is not accessible by the user.
1.21 millert 192: The superuser may enable
193: .Nm
194: via the
195: .Fl E
196: flag.
1.20 millert 197: .El
1.1 deraadt 198: .Sh SEE ALSO
1.22 millert 199: .Xr skey 1 ,
1.28 otto 200: .Xr skeyaudit 1 ,
201: .Xr skeyinfo 1 ,
1.29 ! jmc 202: .Xr skeyprune 8
1.1 deraadt 203: .Sh AUTHORS
1.21 millert 204: Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller