summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/skey/skey.128
-rw-r--r--usr.bin/skey/skey.c10
-rw-r--r--usr.bin/skeyinit/skeyinit.113
-rw-r--r--usr.bin/skeyinit/skeyinit.c4
4 files changed, 33 insertions, 22 deletions
diff --git a/usr.bin/skey/skey.1 b/usr.bin/skey/skey.1
index 74a9a2dea76..494b72a5536 100644
--- a/usr.bin/skey/skey.1
+++ b/usr.bin/skey/skey.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: skey.1,v 1.23 2003/08/08 10:13:33 jmc Exp $
+.\" $OpenBSD: skey.1,v 1.24 2004/06/04 18:18:20 otto Exp $
.\" @(#)skey.1 1.1 10/28/93
.\"
.Dd October 28, 1993
@@ -15,7 +15,7 @@
.Fl rmd160
.Oc
.Op Fl n Ar count
-.Op Fl p Ar passwd
+.Op Fl p Ar passphrase
<sequence#>[/] key
.Sh DESCRIPTION
.Nm S/Key
@@ -29,6 +29,16 @@ This implementation of
.Nm S/Key
is RFC 2289 compliant.
.Pp
+Before using
+.Nm skey
+the system needs to be initialized using
+.Xr skeyinit 1 ;
+this will establish a secret passphrase.
+After that, one-time passwords can be generated using
+.Nm skey ,
+which will prompt for the secret passphrase.
+After a one-time password has been used to log in, it can no longer be used.
+.Pp
When
.Nm skey
is invoked as
@@ -40,9 +50,9 @@ as the hash function where
.Ar method
is currently one of md4, md5, sha1, or rmd160.
.Pp
-If you misspell your password while running
+If you misspell your secret passphrase while running
.Nm skey ,
-you will get a list of passwords
+you will get a list of one-time passwords
that will not work, and no indication of the problem.
.Pp
Password sequence numbers count backwards.
@@ -57,12 +67,12 @@ Prints out
.Ar count
one-time passwords.
The default is to print one.
-.It Fl p Ar password
+.It Fl p Ar passphrase
Uses
-.Ar password
-as the secret password.
+.Ar passphrase
+as the secret passphrase.
Use of this option is discouraged as
-your secret password could be visible in a process listing.
+your secret passphrase could be visible in a process listing.
.It Fl x
Causes output to be in hexadecimal instead of ASCII.
.It Fl md4
@@ -78,7 +88,7 @@ Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm.
.sp 0
% skey 99 th91334
.sp 0
- Enter secret password: <your secret password is entered here>
+ Enter secret passphrase: <your secret passphrase is entered here>
.sp 0
OMEN US HORN OMIT BACK AHOY
.sp 0
diff --git a/usr.bin/skey/skey.c b/usr.bin/skey/skey.c
index 677e60b9ef7..e5b0b36cbc5 100644
--- a/usr.bin/skey/skey.c
+++ b/usr.bin/skey/skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: skey.c,v 1.19 2003/06/10 18:24:40 deraadt Exp $ */
+/* $OpenBSD: skey.c,v 1.20 2004/06/04 18:18:20 otto Exp $ */
/*
* OpenBSD S/Key (skey.c)
*
@@ -114,17 +114,17 @@ main(int argc, char *argv[])
seed = argv[++i];
}
- /* Get user's secret password */
+ /* Get user's secret passphrase */
if (!pass) {
fputs("Reminder - Do not use this program while"
" logged in via telnet.\n", stderr);
- (void)fputs("Enter secret password: ", stderr);
+ (void)fputs("Enter secret passphrase: ", stderr);
readpass(passwd, sizeof(passwd));
if (passwd[0] == '\0')
exit(1);
}
- /* Crunch seed and password into starting key */
+ /* Crunch seed and passphrase into starting key */
if (keycrunch(key, seed, passwd) != 0)
errx(1, "key crunch failed");
@@ -151,6 +151,6 @@ usage(char *s)
{
fprintf(stderr,
"Usage: %s [-x] [-md4|-md5|-sha1|-rmd160] [-n count] "
- "[-p password] <sequence#>[/] key\n", s);
+ "[-p passphrase] <sequence#>[/] key\n", s);
exit(1);
}
diff --git a/usr.bin/skeyinit/skeyinit.1 b/usr.bin/skeyinit/skeyinit.1
index 6ebe845f013..4195428ed0d 100644
--- a/usr.bin/skeyinit/skeyinit.1
+++ b/usr.bin/skeyinit/skeyinit.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: skeyinit.1,v 1.26 2003/06/10 09:12:11 jmc Exp $
+.\" $OpenBSD: skeyinit.1,v 1.27 2004/06/04 18:18:20 otto Exp $
.\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
.\" @(#)skeyinit.1 1.1 10/28/93
.\"
@@ -26,14 +26,16 @@
.Sh DESCRIPTION
.Nm
initializes the system so you can use S/Key one-time passwords to login.
-The program will ask you to enter a secret pass phrase;
+The program will ask you to enter a secret passphrase which is used by
+.Xr skey 1
+to generate one-time passwords;
enter a phrase of several words in response.
After the S/Key database
has been updated you can login using either your regular password
or using S/Key one-time passwords.
.Pp
.Nm
-requires you to type a secret password, so it should be used
+requires you to type a secret passphrase, so it should be used
only on a secure terminal.
For example, on the console of a
workstation or over an encrypted network session.
@@ -80,7 +82,7 @@ machine to generate the first one-time password.
Without the
.Fl s
option the system will assume you are directly connected over secure
-communications and prompt you for your secret password.
+communications and prompt you for your secret passphrase.
The
.Fl s
option also allows one to set the seed and count for complete
@@ -114,10 +116,9 @@ defeats the purpose of using
.Dq secure
mode.
.It Fl x
-Displays pass phrase in hexadecimal instead of ASCII.
+Displays one-time password in hexadecimal instead of ASCII.
.It Fl a Ar auth-type
Specify an authentication type such as
-.Dq krb4 ,
.Dq krb5
or
.Dq passwd .
diff --git a/usr.bin/skeyinit/skeyinit.c b/usr.bin/skeyinit/skeyinit.c
index a72d24ec983..f86687cfa19 100644
--- a/usr.bin/skeyinit/skeyinit.c
+++ b/usr.bin/skeyinit/skeyinit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: skeyinit.c,v 1.45 2003/11/26 00:05:27 espie Exp $ */
+/* $OpenBSD: skeyinit.c,v 1.46 2004/06/04 18:18:20 otto Exp $ */
/* OpenBSD S/Key (skeyinit.c)
*
@@ -412,7 +412,7 @@ normal_mode(char *username, int n, char *key, char *seed)
if (i > 2)
errx(1, "S/Key entry not updated");
- if (readpassphrase("Enter secret passphrase: ", passwd,
+ if (readpassphrase("Enter new secret passphrase: ", passwd,
sizeof(passwd), 0) == NULL || passwd[0] == '\0')
exit(1);