From 1134e0bf54fadfc9102b9b8aa1cbbc16fcbd95a7 Mon Sep 17 00:00:00 2001 From: Jason McIntyre Date: Wed, 3 Aug 2005 09:20:31 +0000 Subject: improve description of -a and -s a little; --- usr.bin/skeyinit/skeyinit.1 | 50 +++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 22 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/skeyinit/skeyinit.1 b/usr.bin/skeyinit/skeyinit.1 index f48b579efdd..7ce026ccfdf 100644 --- a/usr.bin/skeyinit/skeyinit.1 +++ b/usr.bin/skeyinit/skeyinit.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: skeyinit.1,v 1.32 2005/07/14 19:27:18 jmc Exp $ +.\" $OpenBSD: skeyinit.1,v 1.33 2005/08/03 09:20:30 jmc Exp $ .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $ .\" @(#)skeyinit.1 1.1 10/28/93 .\" @@ -24,7 +24,7 @@ initializes the system so you can use S/Key one-time passwords to log in. The program will ask you to enter a secret passphrase which is used by .Xr skey 1 -to generate one-time passwords; +to generate one-time passwords: enter a phrase of several words in response. After the S/Key database has been updated you can log in using either your regular password @@ -44,9 +44,9 @@ option. .Pp Before initializing an S/Key entry, the user must authenticate using either a standard password or an S/Key challenge. -To use a one-time password for initial authentication, the -.Dq Fl a Li skey -option can be used. +To use a one-time password for initial authentication, +.Ic skeyinit -a skey +can be used. The user will then be presented with the standard S/Key challenge and allowed to proceed if it is correct. .Pp @@ -68,7 +68,9 @@ should match the one printed by The options are as follows: .Bl -tag -width Ds .It Fl a Ar auth-type -Specify an authentication type such as +Before an S/Key entry can be initialised, +the user must authenticate themselves to the system. +This option allows the authentication type to be specified, such as .Dq krb5 , .Dq passwd , or @@ -104,7 +106,8 @@ sequence at .It Fl r Removes the user's S/Key entry. .It Fl s -Set secure mode where the user is expected to have used a secure +Secure mode. +The user is expected to have already used a secure machine to generate the first one-time password. Without the .Fl s @@ -114,20 +117,7 @@ The .Fl s option also allows one to set the seed and count for complete control of the parameters. -You can use -.Ic skeyinit -s -in combination with the -.Nm skey -command to set the seed and count if you do not like the defaults. -To do this run -.Nm -in one window and put in your count and seed, then run -.Nm skey -in another window to generate the correct 6 English words for that -count and seed. -You can then "cut-and-paste" or type the words into the -.Nm -window. +.Pp When the .Fl s option is specified, @@ -137,11 +127,27 @@ will try to authenticate the user via S/Key, instead of the default listed in If a user has no entry in the S/Key database, an alternate authentication type must be specified via the .Fl a -option. +option +(see above). Please note that entering a password or passphrase in plain text defeats the purpose of using .Dq secure mode. +.Pp +You can use +.Ic skeyinit -s +in combination with the +.Nm skey +command to set the seed and count if you do not like the defaults. +To do this run +.Ic skeyinit -s +in one window and put in your count and seed, then run +.Xr skey 1 +in another window to generate the correct 6 English words for that +count and seed. +You can then "cut-and-paste" or type the words into the +.Nm +window. .It Fl x Displays one-time passwords in hexadecimal instead of ASCII. .It Ar user -- cgit v1.2.3