Annotation of src/usr.bin/skeyinit/skeyinit.1, Revision 1.42
1.42 ! jsg 1: .\" $OpenBSD: skeyinit.1,v 1.41 2015/10/09 21:59:34 tim Exp $
1.1 deraadt 2: .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3: .\" @(#)skeyinit.1 1.1 10/28/93
4: .\"
1.42 ! jsg 5: .Dd $Mdocdate: October 9 2015 $
1.1 deraadt 6: .Dt SKEYINIT 1
1.8 michaels 7: .Os
1.1 deraadt 8: .Sh NAME
1.7 millert 9: .Nm skeyinit
1.14 aaron 10: .Nd change password or add user to S/Key authentication system
1.1 deraadt 11: .Sh SYNOPSIS
12: .Nm skeyinit
1.31 jmc 13: .Bk -words
1.40 tim 14: .Op Fl DErsx
1.21 millert 15: .Op Fl a Ar auth-type
1.9 millert 16: .Op Fl n Ar count
1.37 naddy 17: .Op Fl md5 | rmd160 | sha1
1.1 deraadt 18: .Op Ar user
1.31 jmc 19: .Ek
1.1 deraadt 20: .Sh DESCRIPTION
1.16 aaron 21: .Nm
1.29 jmc 22: initializes the system so you can use S/Key one-time passwords to log in.
1.27 otto 23: The program will ask you to enter a secret passphrase which is used by
24: .Xr skey 1
1.33 jmc 25: to generate one-time passwords:
1.17 aaron 26: enter a phrase of several words in response.
27: After the S/Key database
1.29 jmc 28: has been updated you can log in using either your regular password
1.7 millert 29: or using S/Key one-time passwords.
30: .Pp
1.16 aaron 31: .Nm
1.27 otto 32: requires you to type a secret passphrase, so it should be used
1.16 aaron 33: only on a secure terminal.
34: For example, on the console of a
35: workstation or over an encrypted network session.
36: If you are using
37: .Nm
1.7 millert 38: while logged in over an untrusted network, follow the instructions
39: given below with the
40: .Fl s
41: option.
42: .Pp
43: Before initializing an S/Key entry, the user must authenticate
1.16 aaron 44: using either a standard password or an S/Key challenge.
1.33 jmc 45: To use a one-time password for initial authentication,
46: .Ic skeyinit -a skey
47: can be used.
1.16 aaron 48: The user will then be presented with the standard
1.7 millert 49: S/Key challenge and allowed to proceed if it is correct.
1.18 aaron 50: .Pp
1.29 jmc 51: .Nm
1.28 otto 52: prints a sequence number and a one-time password.
1.31 jmc 53: This password can't be used to log in; one-time passwords should be
1.28 otto 54: generated using
55: .Xr skey 1
56: first.
57: The one-time password printed by
58: .Nm
59: can be used to verify if the right passphrase has been given to
60: .Xr skey 1 .
61: The one-time password with the corresponding sequence number printed by
62: .Xr skey 1
63: should match the one printed by
64: .Nm .
65: .Pp
1.18 aaron 66: The options are as follows:
1.19 aaron 67: .Bl -tag -width Ds
1.31 jmc 68: .It Fl a Ar auth-type
1.33 jmc 69: Before an S/Key entry can be initialised,
70: the user must authenticate themselves to the system.
71: This option allows the authentication type to be specified, such as
1.38 ajacouto 72: .Dq passwd
1.31 jmc 73: or
74: .Dq skey .
1.21 millert 75: .It Fl D
76: Disables access to the S/Key database.
77: Only the superuser may use the
78: .Fl D
79: option.
80: .It Fl E
81: Enables access to the S/Key database.
82: Only the superuser may use the
83: .Fl E
84: option.
1.37 naddy 85: .It Fl md5 | rmd160 | sha1
1.31 jmc 86: Selects the hash algorithm:
1.37 naddy 87: MD5, RMD-160 (160-bit Ripe Message Digest),
1.31 jmc 88: or SHA1 (NIST Secure Hash Algorithm Revision 1).
89: .It Fl n Ar count
90: Start the
91: .Nm skey
92: sequence at
93: .Ar count
94: (default is 100).
1.23 millert 95: .It Fl r
96: Removes the user's S/Key entry.
1.1 deraadt 97: .It Fl s
1.33 jmc 98: Secure mode.
99: The user is expected to have already used a secure
1.16 aaron 100: machine to generate the first one-time password.
101: Without the
1.7 millert 102: .Fl s
1.12 aaron 103: option the system will assume you are directly connected over secure
1.27 otto 104: communications and prompt you for your secret passphrase.
1.16 aaron 105: The
1.7 millert 106: .Fl s
107: option also allows one to set the seed and count for complete
1.16 aaron 108: control of the parameters.
1.33 jmc 109: .Pp
1.24 millert 110: When the
111: .Fl s
112: option is specified,
113: .Nm
114: will try to authenticate the user via S/Key, instead of the default listed in
115: .Pa /etc/login.conf .
116: If a user has no entry in the S/Key database, an alternate authentication
117: type must be specified via the
118: .Fl a
1.33 jmc 119: option
120: (see above).
1.42 ! jsg 121: Entering a password or passphrase in plain text
1.24 millert 122: defeats the purpose of using
123: .Dq secure
124: mode.
1.33 jmc 125: .Pp
126: You can use
127: .Ic skeyinit -s
128: in combination with the
129: .Nm skey
130: command to set the seed and count if you do not like the defaults.
131: To do this run
132: .Ic skeyinit -s
133: in one window and put in your count and seed, then run
134: .Xr skey 1
135: in another window to generate the correct 6 English words for that
136: count and seed.
137: You can then "cut-and-paste" or type the words into the
138: .Nm
139: window.
1.21 millert 140: .It Fl x
1.31 jmc 141: Displays one-time passwords in hexadecimal instead of ASCII.
1.1 deraadt 142: .It Ar user
1.17 aaron 143: The username to be changed/added.
144: By default the current user is operated on.
1.18 aaron 145: .El
1.26 jmc 146: .Sh FILES
147: .Bl -tag -width /etc/login.conf -compact
148: .It Pa /etc/login.conf
149: file containing authentication types
150: .It Pa /etc/skey
151: directory containing user entries for S/Key
152: .El
1.28 otto 153: .Sh EXAMPLES
154: .Bd -literal
1.29 jmc 155: $ skeyinit
1.31 jmc 156: Password: \*(Ltenter your regular password here\*(Gt
1.29 jmc 157: [Updating user with md5]
158: Old seed: [md5] host12377
1.31 jmc 159: Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt
160: Again secret passphrase: \*(Ltagain\*(Gt
1.29 jmc 161: ID user skey is otp-md5 100 host12378
162: Next login password: CITE BREW IDLE CAIN ROD DOME
163: $ otp-md5 -n 3 100 host12378
1.31 jmc 164: Enter secret passphrase: \*(Lttype your passphrase here\*(Gt
1.29 jmc 165: 98: WERE TUG EDDY GEAR GILL TEE
166: 99: NEAR HA TILT FIN LONG SNOW
167: 100: CITE BREW IDLE CAIN ROD DOME
1.28 otto 168: .Ed
169: .Pp
170: The one-time password for the next login will have sequence number 99.
1.36 schwarze 171: .Sh DIAGNOSTICS
1.20 millert 172: .Bl -tag -compact -width "skey disabled"
173: .It "skey disabled"
1.21 millert 174: .Pa /etc/skey
1.25 cloder 175: does not exist or is not accessible by the user.
1.21 millert 176: The superuser may enable
177: .Nm
178: via the
179: .Fl E
180: flag.
1.20 millert 181: .El
1.1 deraadt 182: .Sh SEE ALSO
1.22 millert 183: .Xr skey 1 ,
1.28 otto 184: .Xr skeyaudit 1 ,
185: .Xr skeyinfo 1 ,
1.32 jmc 186: .Xr skey 5 ,
1.29 jmc 187: .Xr skeyprune 8
1.1 deraadt 188: .Sh AUTHORS
1.39 schwarze 189: .An Phil Karn
190: .An Neil M. Haller
191: .An John S. Walden
192: .An Scott Chasin
193: .An Todd Miller