Annotation of src/usr.bin/skeyinit/skeyinit.1, Revision 1.38
1.38 ! ajacouto 1: .\" $OpenBSD: skeyinit.1,v 1.37 2014/03/20 20:39:13 naddy Exp $
1.1 deraadt 2: .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3: .\" @(#)skeyinit.1 1.1 10/28/93
4: .\"
1.38 ! ajacouto 5: .Dd $Mdocdate: March 20 2014 $
1.1 deraadt 6: .Dt SKEYINIT 1
1.8 michaels 7: .Os
1.1 deraadt 8: .Sh NAME
1.7 millert 9: .Nm skeyinit
1.14 aaron 10: .Nd change password or add user to S/Key authentication system
1.1 deraadt 11: .Sh SYNOPSIS
12: .Nm skeyinit
1.31 jmc 13: .Bk -words
14: .Op Fl CDErsx
1.21 millert 15: .Op Fl a Ar auth-type
1.9 millert 16: .Op Fl n Ar count
1.37 naddy 17: .Op Fl md5 | rmd160 | sha1
1.1 deraadt 18: .Op Ar user
1.31 jmc 19: .Ek
1.1 deraadt 20: .Sh DESCRIPTION
1.16 aaron 21: .Nm
1.29 jmc 22: initializes the system so you can use S/Key one-time passwords to log in.
1.27 otto 23: The program will ask you to enter a secret passphrase which is used by
24: .Xr skey 1
1.33 jmc 25: to generate one-time passwords:
1.17 aaron 26: enter a phrase of several words in response.
27: After the S/Key database
1.29 jmc 28: has been updated you can log in using either your regular password
1.7 millert 29: or using S/Key one-time passwords.
30: .Pp
1.16 aaron 31: .Nm
1.27 otto 32: requires you to type a secret passphrase, so it should be used
1.16 aaron 33: only on a secure terminal.
34: For example, on the console of a
35: workstation or over an encrypted network session.
36: If you are using
37: .Nm
1.7 millert 38: while logged in over an untrusted network, follow the instructions
39: given below with the
40: .Fl s
41: option.
42: .Pp
43: Before initializing an S/Key entry, the user must authenticate
1.16 aaron 44: using either a standard password or an S/Key challenge.
1.33 jmc 45: To use a one-time password for initial authentication,
46: .Ic skeyinit -a skey
47: can be used.
1.16 aaron 48: The user will then be presented with the standard
1.7 millert 49: S/Key challenge and allowed to proceed if it is correct.
1.18 aaron 50: .Pp
1.29 jmc 51: .Nm
1.28 otto 52: prints a sequence number and a one-time password.
1.31 jmc 53: This password can't be used to log in; one-time passwords should be
1.28 otto 54: generated using
55: .Xr skey 1
56: first.
57: The one-time password printed by
58: .Nm
59: can be used to verify if the right passphrase has been given to
60: .Xr skey 1 .
61: The one-time password with the corresponding sequence number printed by
62: .Xr skey 1
63: should match the one printed by
64: .Nm .
65: .Pp
1.18 aaron 66: The options are as follows:
1.19 aaron 67: .Bl -tag -width Ds
1.31 jmc 68: .It Fl a Ar auth-type
1.33 jmc 69: Before an S/Key entry can be initialised,
70: the user must authenticate themselves to the system.
71: This option allows the authentication type to be specified, such as
1.38 ! ajacouto 72: .Dq passwd
1.31 jmc 73: or
74: .Dq skey .
1.21 millert 75: .It Fl C
76: Converts from the old-style
77: .Pa /etc/skeykeys
78: database to a new-style database where user records are stored in the
79: .Pa /etc/skey
80: directory.
81: If an entry already exists in the new-style database it will not
82: be overwritten.
83: .It Fl D
84: Disables access to the S/Key database.
85: Only the superuser may use the
86: .Fl D
87: option.
88: .It Fl E
89: Enables access to the S/Key database.
90: Only the superuser may use the
91: .Fl E
92: option.
1.37 naddy 93: .It Fl md5 | rmd160 | sha1
1.31 jmc 94: Selects the hash algorithm:
1.37 naddy 95: MD5, RMD-160 (160-bit Ripe Message Digest),
1.31 jmc 96: or SHA1 (NIST Secure Hash Algorithm Revision 1).
97: .It Fl n Ar count
98: Start the
99: .Nm skey
100: sequence at
101: .Ar count
102: (default is 100).
1.23 millert 103: .It Fl r
104: Removes the user's S/Key entry.
1.1 deraadt 105: .It Fl s
1.33 jmc 106: Secure mode.
107: The user is expected to have already used a secure
1.16 aaron 108: machine to generate the first one-time password.
109: Without the
1.7 millert 110: .Fl s
1.12 aaron 111: option the system will assume you are directly connected over secure
1.27 otto 112: communications and prompt you for your secret passphrase.
1.16 aaron 113: The
1.7 millert 114: .Fl s
115: option also allows one to set the seed and count for complete
1.16 aaron 116: control of the parameters.
1.33 jmc 117: .Pp
1.24 millert 118: When the
119: .Fl s
120: option is specified,
121: .Nm
122: will try to authenticate the user via S/Key, instead of the default listed in
123: .Pa /etc/login.conf .
124: If a user has no entry in the S/Key database, an alternate authentication
125: type must be specified via the
126: .Fl a
1.33 jmc 127: option
128: (see above).
1.24 millert 129: Please note that entering a password or passphrase in plain text
130: defeats the purpose of using
131: .Dq secure
132: mode.
1.33 jmc 133: .Pp
134: You can use
135: .Ic skeyinit -s
136: in combination with the
137: .Nm skey
138: command to set the seed and count if you do not like the defaults.
139: To do this run
140: .Ic skeyinit -s
141: in one window and put in your count and seed, then run
142: .Xr skey 1
143: in another window to generate the correct 6 English words for that
144: count and seed.
145: You can then "cut-and-paste" or type the words into the
146: .Nm
147: window.
1.21 millert 148: .It Fl x
1.31 jmc 149: Displays one-time passwords in hexadecimal instead of ASCII.
1.1 deraadt 150: .It Ar user
1.17 aaron 151: The username to be changed/added.
152: By default the current user is operated on.
1.18 aaron 153: .El
1.26 jmc 154: .Sh FILES
155: .Bl -tag -width /etc/login.conf -compact
156: .It Pa /etc/login.conf
157: file containing authentication types
158: .It Pa /etc/skey
159: directory containing user entries for S/Key
160: .El
1.28 otto 161: .Sh EXAMPLES
162: .Bd -literal
1.29 jmc 163: $ skeyinit
164: Reminder - Only use this method if you are directly connected
165: or have an encrypted channel. If you are using telnet,
166: hit return now and use skeyinit -s.
1.31 jmc 167: Password: \*(Ltenter your regular password here\*(Gt
1.29 jmc 168: [Updating user with md5]
169: Old seed: [md5] host12377
1.31 jmc 170: Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt
171: Again secret passphrase: \*(Ltagain\*(Gt
1.29 jmc 172: ID user skey is otp-md5 100 host12378
173: Next login password: CITE BREW IDLE CAIN ROD DOME
174: $ otp-md5 -n 3 100 host12378
175: Reminder - Do not use this program while logged in via telnet.
1.31 jmc 176: Enter secret passphrase: \*(Lttype your passphrase here\*(Gt
1.29 jmc 177: 98: WERE TUG EDDY GEAR GILL TEE
178: 99: NEAR HA TILT FIN LONG SNOW
179: 100: CITE BREW IDLE CAIN ROD DOME
1.28 otto 180: .Ed
181: .Pp
182: The one-time password for the next login will have sequence number 99.
1.36 schwarze 183: .Sh DIAGNOSTICS
1.20 millert 184: .Bl -tag -compact -width "skey disabled"
185: .It "skey disabled"
1.21 millert 186: .Pa /etc/skey
1.25 cloder 187: does not exist or is not accessible by the user.
1.21 millert 188: The superuser may enable
189: .Nm
190: via the
191: .Fl E
192: flag.
1.20 millert 193: .El
1.1 deraadt 194: .Sh SEE ALSO
1.22 millert 195: .Xr skey 1 ,
1.28 otto 196: .Xr skeyaudit 1 ,
197: .Xr skeyinfo 1 ,
1.32 jmc 198: .Xr skey 5 ,
1.29 jmc 199: .Xr skeyprune 8
1.1 deraadt 200: .Sh AUTHORS
1.21 millert 201: Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller