Annotation of src/usr.bin/skeyinit/skeyinit.1, Revision 1.32
1.32 ! jmc 1: .\" $OpenBSD: skeyinit.1,v 1.31 2005/07/06 22:15:11 jmc Exp $
1.1 deraadt 2: .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3: .\" @(#)skeyinit.1 1.1 10/28/93
4: .\"
1.11 millert 5: .Dd February 24, 1998
1.1 deraadt 6: .Dt SKEYINIT 1
1.8 michaels 7: .Os
1.1 deraadt 8: .Sh NAME
1.7 millert 9: .Nm skeyinit
1.14 aaron 10: .Nd change password or add user to S/Key authentication system
1.1 deraadt 11: .Sh SYNOPSIS
12: .Nm skeyinit
1.31 jmc 13: .Bk -words
14: .Op Fl CDErsx
1.21 millert 15: .Op Fl a Ar auth-type
1.9 millert 16: .Op Fl n Ar count
1.15 millert 17: .Oo
1.31 jmc 18: .Fl md4 | Fl md5 | rmd160 | sha1
1.15 millert 19: .Oc
1.1 deraadt 20: .Op Ar user
1.31 jmc 21: .Ek
1.1 deraadt 22: .Sh DESCRIPTION
1.16 aaron 23: .Nm
1.29 jmc 24: initializes the system so you can use S/Key one-time passwords to log in.
1.27 otto 25: The program will ask you to enter a secret passphrase which is used by
26: .Xr skey 1
27: to generate one-time passwords;
1.17 aaron 28: enter a phrase of several words in response.
29: After the S/Key database
1.29 jmc 30: has been updated you can log in using either your regular password
1.7 millert 31: or using S/Key one-time passwords.
32: .Pp
1.16 aaron 33: .Nm
1.27 otto 34: requires you to type a secret passphrase, so it should be used
1.16 aaron 35: only on a secure terminal.
36: For example, on the console of a
37: workstation or over an encrypted network session.
38: If you are using
39: .Nm
1.7 millert 40: while logged in over an untrusted network, follow the instructions
41: given below with the
42: .Fl s
43: option.
44: .Pp
45: Before initializing an S/Key entry, the user must authenticate
1.16 aaron 46: using either a standard password or an S/Key challenge.
1.30 otto 47: To use a one-time password for initial authentication, the
48: .Dq Fl a Li skey
49: option can be used.
1.16 aaron 50: The user will then be presented with the standard
1.7 millert 51: S/Key challenge and allowed to proceed if it is correct.
1.18 aaron 52: .Pp
1.29 jmc 53: .Nm
1.28 otto 54: prints a sequence number and a one-time password.
1.31 jmc 55: This password can't be used to log in; one-time passwords should be
1.28 otto 56: generated using
57: .Xr skey 1
58: first.
59: The one-time password printed by
60: .Nm
61: can be used to verify if the right passphrase has been given to
62: .Xr skey 1 .
63: The one-time password with the corresponding sequence number printed by
64: .Xr skey 1
65: should match the one printed by
66: .Nm .
67: .Pp
1.18 aaron 68: The options are as follows:
1.19 aaron 69: .Bl -tag -width Ds
1.31 jmc 70: .It Fl a Ar auth-type
71: Specify an authentication type such as
72: .Dq krb5 ,
73: .Dq passwd ,
74: or
75: .Dq skey .
1.21 millert 76: .It Fl C
77: Converts from the old-style
78: .Pa /etc/skeykeys
79: database to a new-style database where user records are stored in the
80: .Pa /etc/skey
81: directory.
82: If an entry already exists in the new-style database it will not
83: be overwritten.
84: .It Fl D
85: Disables access to the S/Key database.
86: Only the superuser may use the
87: .Fl D
88: option.
89: .It Fl E
90: Enables access to the S/Key database.
91: Only the superuser may use the
92: .Fl E
93: option.
1.31 jmc 94: .It Fl md4 | md5 | rmd160 | sha1
95: Selects the hash algorithm:
96: MD4, MD5, RMD-160 (160-bit Ripe Message Digest),
97: or SHA1 (NIST Secure Hash Algorithm Revision 1).
98: .It Fl n Ar count
99: Start the
100: .Nm skey
101: sequence at
102: .Ar count
103: (default is 100).
1.23 millert 104: .It Fl r
105: Removes the user's S/Key entry.
1.1 deraadt 106: .It Fl s
1.7 millert 107: Set secure mode where the user is expected to have used a secure
1.16 aaron 108: machine to generate the first one-time password.
109: Without the
1.7 millert 110: .Fl s
1.12 aaron 111: option the system will assume you are directly connected over secure
1.27 otto 112: communications and prompt you for your secret passphrase.
1.16 aaron 113: The
1.7 millert 114: .Fl s
115: option also allows one to set the seed and count for complete
1.16 aaron 116: control of the parameters.
117: You can use
118: .Ic skeyinit -s
1.7 millert 119: in combination with the
1.1 deraadt 120: .Nm skey
1.7 millert 121: command to set the seed and count if you do not like the defaults.
122: To do this run
1.16 aaron 123: .Nm
1.7 millert 124: in one window and put in your count and seed, then run
125: .Nm skey
1.13 aaron 126: in another window to generate the correct 6 English words for that
1.16 aaron 127: count and seed.
128: You can then "cut-and-paste" or type the words into the
129: .Nm
1.7 millert 130: window.
1.24 millert 131: When the
132: .Fl s
133: option is specified,
134: .Nm
135: will try to authenticate the user via S/Key, instead of the default listed in
136: .Pa /etc/login.conf .
137: If a user has no entry in the S/Key database, an alternate authentication
138: type must be specified via the
139: .Fl a
140: option.
141: Please note that entering a password or passphrase in plain text
142: defeats the purpose of using
143: .Dq secure
144: mode.
1.21 millert 145: .It Fl x
1.31 jmc 146: Displays one-time passwords in hexadecimal instead of ASCII.
1.1 deraadt 147: .It Ar user
1.17 aaron 148: The username to be changed/added.
149: By default the current user is operated on.
1.18 aaron 150: .El
1.26 jmc 151: .Sh FILES
152: .Bl -tag -width /etc/login.conf -compact
153: .It Pa /etc/login.conf
154: file containing authentication types
155: .It Pa /etc/skey
156: directory containing user entries for S/Key
157: .El
1.28 otto 158: .Sh EXAMPLES
159: .Bd -literal
1.29 jmc 160: $ skeyinit
161: Reminder - Only use this method if you are directly connected
162: or have an encrypted channel. If you are using telnet,
163: hit return now and use skeyinit -s.
1.31 jmc 164: Password: \*(Ltenter your regular password here\*(Gt
1.29 jmc 165: [Updating user with md5]
166: Old seed: [md5] host12377
1.31 jmc 167: Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt
168: Again secret passphrase: \*(Ltagain\*(Gt
1.29 jmc 169: ID user skey is otp-md5 100 host12378
170: Next login password: CITE BREW IDLE CAIN ROD DOME
171: $ otp-md5 -n 3 100 host12378
172: Reminder - Do not use this program while logged in via telnet.
1.31 jmc 173: Enter secret passphrase: \*(Lttype your passphrase here\*(Gt
1.29 jmc 174: 98: WERE TUG EDDY GEAR GILL TEE
175: 99: NEAR HA TILT FIN LONG SNOW
176: 100: CITE BREW IDLE CAIN ROD DOME
1.28 otto 177: .Ed
178: .Pp
179: The one-time password for the next login will have sequence number 99.
1.11 millert 180: .Sh ERRORS
1.20 millert 181: .Bl -tag -compact -width "skey disabled"
182: .It "skey disabled"
1.21 millert 183: .Pa /etc/skey
1.25 cloder 184: does not exist or is not accessible by the user.
1.21 millert 185: The superuser may enable
186: .Nm
187: via the
188: .Fl E
189: flag.
1.20 millert 190: .El
1.1 deraadt 191: .Sh SEE ALSO
1.22 millert 192: .Xr skey 1 ,
1.28 otto 193: .Xr skeyaudit 1 ,
194: .Xr skeyinfo 1 ,
1.32 ! jmc 195: .Xr skey 5 ,
1.29 jmc 196: .Xr skeyprune 8
1.1 deraadt 197: .Sh AUTHORS
1.21 millert 198: Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller