Give a sensible error message when a user who has no entry in /etc/skey

specifies the -s flag.  Also improve the error message when S/Key is disabled.

2 files changed, 50 insertions, 10 deletions

diff --git a/usr.bin/skeyinit/skeyinit.1 b/usr.bin/skeyinit/skeyinit.1
index 5a9a6458604..14bcc50aeac 100644
--- a/usr.bin/skeyinit/skeyinit.1
+++ b/usr.bin/skeyinit/skeyinit.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: skeyinit.1,v 1.23 2002/05/17 15:54:12 millert Exp $
+.\"	$OpenBSD: skeyinit.1,v 1.24 2002/11/16 23:05:36 millert Exp $
 .\"	$NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
 .\"	@(#)skeyinit.1	1.1 	10/28/93
 .\"
@@ -99,13 +99,28 @@ count and seed.
 You can then "cut-and-paste" or type the words into the
 .Nm
 window.
+When the
+.Fl s
+option is specified,
+.Nm
+will try to authenticate the user via S/Key, instead of the default listed in
+.Pa /etc/login.conf .
+If a user has no entry in the S/Key database, an alternate authentication
+type must be specified via the
+.Fl a
+option.
+Please note that entering a password or passphrase in plain text
+defeats the purpose of using
+.Dq secure
+mode.
 .It Fl x
 Displays pass phrase in hexadecimal instead of ASCII.
 .It Fl a Ar auth-type
 Specify an authentication type such as
-.Dq krb4
+.Dq krb4 ,
+.Dq krb5
 or
-.Dq krb5 .
+.Dq passwd .
 .It Fl n Ar count
 Start the
 .Nm skey
@@ -136,7 +151,9 @@ via the
 flag.
 .El
 .Sh FILES
-.Bl -tag -width /etc/skey
+.Bl -tag -width /etc/login.conf -compact
+.It Pa /etc/login.conf
+file containing authentication types
 .It Pa /etc/skey
 directory containing user entries for S/Key
 .El
diff --git a/usr.bin/skeyinit/skeyinit.c b/usr.bin/skeyinit/skeyinit.c
index a85728a349d..d45401a742e 100644
--- a/usr.bin/skeyinit/skeyinit.c
+++ b/usr.bin/skeyinit/skeyinit.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: skeyinit.c,v 1.40 2002/06/23 03:07:22 deraadt Exp $	*/
+/*	$OpenBSD: skeyinit.c,v 1.41 2002/11/16 23:05:36 millert Exp $	*/
 
 /* OpenBSD S/Key (skeyinit.c)
  *
@@ -93,7 +93,8 @@ main(int argc, char **argv)
 			case 'a':
 				if (argv[++i] == NULL || argv[i][0] == '\0')
 					usage();
-				auth_type = argv[i];
+				if (auth_type == NULL)
+					auth_type = argv[i];
 				break;
 			case 's':
 				defaultsetup = 0;
@@ -167,6 +168,31 @@ main(int argc, char **argv)
 		}
 	}
 
+	switch (skey_haskey(pp->pw_name)) {
+	case -1:
+		if (errno == ENOENT || errno == EPERM)
+			errx(1, "S/Key disabled");
+		else
+			err(1, "cannot open database");
+		break;
+	case 0:
+		/* existing user */
+		break;
+	case 1:
+		if (!defaultsetup) {
+			fprintf(stderr,
+"You must authenticate yourself before using S/Key for the first time.  In
+secure mode this is normally done via an existing S/Key key.  However, since
+you do not have an entry in the S/Key database you will have to specify an
+alternate authentication type via the `-a' flag, e.g.
+    \"skeyinit -s -a krb5\" or \"skeyinit -s -a passwd\"\n
+Note that entering a plaintext password over a non-secure link defeats the
+purpose of using S/Key in the fist place.\n");
+			exit(1);
+		}
+		break;
+	}
+
 	if (defaultsetup)
 		fputs("Reminder - Only use this method if you are directly "
 		    "connected\n           or have an encrypted channel.  If "
@@ -188,10 +214,7 @@ main(int argc, char **argv)
 	rval = skeylookup(&skey, pp->pw_name);
 	switch (rval) {
 		case -1:
-			if (errno == ENOENT)
-				errx(1, "S/Key disabled");
-			else
-				err(1, "cannot open database");
+			err(1, "cannot open database");
 			break;
 		case 0:
 			/* remove user if asked to do so */