diff options
-rw-r--r-- | usr.bin/skey/skey.1 | 28 | ||||
-rw-r--r-- | usr.bin/skey/skey.c | 10 | ||||
-rw-r--r-- | usr.bin/skeyinit/skeyinit.1 | 13 | ||||
-rw-r--r-- | usr.bin/skeyinit/skeyinit.c | 4 |
4 files changed, 33 insertions, 22 deletions
diff --git a/usr.bin/skey/skey.1 b/usr.bin/skey/skey.1 index 74a9a2dea76..494b72a5536 100644 --- a/usr.bin/skey/skey.1 +++ b/usr.bin/skey/skey.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: skey.1,v 1.23 2003/08/08 10:13:33 jmc Exp $ +.\" $OpenBSD: skey.1,v 1.24 2004/06/04 18:18:20 otto Exp $ .\" @(#)skey.1 1.1 10/28/93 .\" .Dd October 28, 1993 @@ -15,7 +15,7 @@ .Fl rmd160 .Oc .Op Fl n Ar count -.Op Fl p Ar passwd +.Op Fl p Ar passphrase <sequence#>[/] key .Sh DESCRIPTION .Nm S/Key @@ -29,6 +29,16 @@ This implementation of .Nm S/Key is RFC 2289 compliant. .Pp +Before using +.Nm skey +the system needs to be initialized using +.Xr skeyinit 1 ; +this will establish a secret passphrase. +After that, one-time passwords can be generated using +.Nm skey , +which will prompt for the secret passphrase. +After a one-time password has been used to log in, it can no longer be used. +.Pp When .Nm skey is invoked as @@ -40,9 +50,9 @@ as the hash function where .Ar method is currently one of md4, md5, sha1, or rmd160. .Pp -If you misspell your password while running +If you misspell your secret passphrase while running .Nm skey , -you will get a list of passwords +you will get a list of one-time passwords that will not work, and no indication of the problem. .Pp Password sequence numbers count backwards. @@ -57,12 +67,12 @@ Prints out .Ar count one-time passwords. The default is to print one. -.It Fl p Ar password +.It Fl p Ar passphrase Uses -.Ar password -as the secret password. +.Ar passphrase +as the secret passphrase. Use of this option is discouraged as -your secret password could be visible in a process listing. +your secret passphrase could be visible in a process listing. .It Fl x Causes output to be in hexadecimal instead of ASCII. .It Fl md4 @@ -78,7 +88,7 @@ Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm. .sp 0 % skey 99 th91334 .sp 0 - Enter secret password: <your secret password is entered here> + Enter secret passphrase: <your secret passphrase is entered here> .sp 0 OMEN US HORN OMIT BACK AHOY .sp 0 diff --git a/usr.bin/skey/skey.c b/usr.bin/skey/skey.c index 677e60b9ef7..e5b0b36cbc5 100644 --- a/usr.bin/skey/skey.c +++ b/usr.bin/skey/skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: skey.c,v 1.19 2003/06/10 18:24:40 deraadt Exp $ */ +/* $OpenBSD: skey.c,v 1.20 2004/06/04 18:18:20 otto Exp $ */ /* * OpenBSD S/Key (skey.c) * @@ -114,17 +114,17 @@ main(int argc, char *argv[]) seed = argv[++i]; } - /* Get user's secret password */ + /* Get user's secret passphrase */ if (!pass) { fputs("Reminder - Do not use this program while" " logged in via telnet.\n", stderr); - (void)fputs("Enter secret password: ", stderr); + (void)fputs("Enter secret passphrase: ", stderr); readpass(passwd, sizeof(passwd)); if (passwd[0] == '\0') exit(1); } - /* Crunch seed and password into starting key */ + /* Crunch seed and passphrase into starting key */ if (keycrunch(key, seed, passwd) != 0) errx(1, "key crunch failed"); @@ -151,6 +151,6 @@ usage(char *s) { fprintf(stderr, "Usage: %s [-x] [-md4|-md5|-sha1|-rmd160] [-n count] " - "[-p password] <sequence#>[/] key\n", s); + "[-p passphrase] <sequence#>[/] key\n", s); exit(1); } diff --git a/usr.bin/skeyinit/skeyinit.1 b/usr.bin/skeyinit/skeyinit.1 index 6ebe845f013..4195428ed0d 100644 --- a/usr.bin/skeyinit/skeyinit.1 +++ b/usr.bin/skeyinit/skeyinit.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: skeyinit.1,v 1.26 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: skeyinit.1,v 1.27 2004/06/04 18:18:20 otto Exp $ .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $ .\" @(#)skeyinit.1 1.1 10/28/93 .\" @@ -26,14 +26,16 @@ .Sh DESCRIPTION .Nm initializes the system so you can use S/Key one-time passwords to login. -The program will ask you to enter a secret pass phrase; +The program will ask you to enter a secret passphrase which is used by +.Xr skey 1 +to generate one-time passwords; enter a phrase of several words in response. After the S/Key database has been updated you can login using either your regular password or using S/Key one-time passwords. .Pp .Nm -requires you to type a secret password, so it should be used +requires you to type a secret passphrase, so it should be used only on a secure terminal. For example, on the console of a workstation or over an encrypted network session. @@ -80,7 +82,7 @@ machine to generate the first one-time password. Without the .Fl s option the system will assume you are directly connected over secure -communications and prompt you for your secret password. +communications and prompt you for your secret passphrase. The .Fl s option also allows one to set the seed and count for complete @@ -114,10 +116,9 @@ defeats the purpose of using .Dq secure mode. .It Fl x -Displays pass phrase in hexadecimal instead of ASCII. +Displays one-time password in hexadecimal instead of ASCII. .It Fl a Ar auth-type Specify an authentication type such as -.Dq krb4 , .Dq krb5 or .Dq passwd . diff --git a/usr.bin/skeyinit/skeyinit.c b/usr.bin/skeyinit/skeyinit.c index a72d24ec983..f86687cfa19 100644 --- a/usr.bin/skeyinit/skeyinit.c +++ b/usr.bin/skeyinit/skeyinit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: skeyinit.c,v 1.45 2003/11/26 00:05:27 espie Exp $ */ +/* $OpenBSD: skeyinit.c,v 1.46 2004/06/04 18:18:20 otto Exp $ */ /* OpenBSD S/Key (skeyinit.c) * @@ -412,7 +412,7 @@ normal_mode(char *username, int n, char *key, char *seed) if (i > 2) errx(1, "S/Key entry not updated"); - if (readpassphrase("Enter secret passphrase: ", passwd, + if (readpassphrase("Enter new secret passphrase: ", passwd, sizeof(passwd), 0) == NULL || passwd[0] == '\0') exit(1); |