.\" $OpenBSD: skeyinit.1,v 1.25 2002/12/09 21:41:38 cloder Exp $ .\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $ .\" @(#)skeyinit.1 1.1 10/28/93 .\" .Dd February 24, 1998 .Dt SKEYINIT 1 .Os .Sh NAME .Nm skeyinit .Nd change password or add user to S/Key authentication system .Sh SYNOPSIS .Nm skeyinit .Op Fl r .Op Fl s .Op Fl x .Op Fl C .Op Fl D .Op Fl E .Op Fl a Ar auth-type .Op Fl n Ar count .Oo .Fl md4 | Fl md5 | Fl sha1 | .Fl rmd160 .Oc .Op Ar user .Sh DESCRIPTION .Nm initializes the system so you can use S/Key one-time passwords to login. The program will ask you to enter a secret pass phrase; enter a phrase of several words in response. After the S/Key database has been updated you can login using either your regular password or using S/Key one-time passwords. .Pp .Nm requires you to type a secret password, so it should be used only on a secure terminal. For example, on the console of a workstation or over an encrypted network session. If you are using .Nm while logged in over an untrusted network, follow the instructions given below with the .Fl s option. .Pp Before initializing an S/Key entry, the user must authenticate using either a standard password or an S/Key challenge. When used over an untrusted network, a password of .Sq s/key should be used. The user will then be presented with the standard S/Key challenge and allowed to proceed if it is correct. .Pp The options are as follows: .Bl -tag -width Ds .It Fl C Converts from the old-style .Pa /etc/skeykeys database to a new-style database where user records are stored in the .Pa /etc/skey directory. If an entry already exists in the new-style database it will not be overwritten. .It Fl D Disables access to the S/Key database. Only the superuser may use the .Fl D option. .It Fl E Enables access to the S/Key database. Only the superuser may use the .Fl E option. .It Fl r Removes the user's S/Key entry. .It Fl s Set secure mode where the user is expected to have used a secure machine to generate the first one-time password. Without the .Fl s option the system will assume you are directly connected over secure communications and prompt you for your secret password. The .Fl s option also allows one to set the seed and count for complete control of the parameters. You can use .Ic skeyinit -s in combination with the .Nm skey command to set the seed and count if you do not like the defaults. To do this run .Nm in one window and put in your count and seed, then run .Nm skey in another window to generate the correct 6 English words for that count and seed. You can then "cut-and-paste" or type the words into the .Nm window. When the .Fl s option is specified, .Nm will try to authenticate the user via S/Key, instead of the default listed in .Pa /etc/login.conf . If a user has no entry in the S/Key database, an alternate authentication type must be specified via the .Fl a option. Please note that entering a password or passphrase in plain text defeats the purpose of using .Dq secure mode. .It Fl x Displays pass phrase in hexadecimal instead of ASCII. .It Fl a Ar auth-type Specify an authentication type such as .Dq krb4 , .Dq krb5 or .Dq passwd . .It Fl n Ar count Start the .Nm skey sequence at .Ar count (default is 100). .It Fl md4 Selects MD4 as the hash algorithm. .It Fl md5 Selects MD5 as the hash algorithm. .It Fl sha1 Selects SHA (NIST Secure Hash Algorithm Revision 1) as the hash algorithm. .It Fl rmd160 Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm. .It Ar user The username to be changed/added. By default the current user is operated on. .El .Sh ERRORS .Bl -tag -compact -width "skey disabled" .It "skey disabled" .Pa /etc/skey does not exist or is not accessible by the user. The superuser may enable .Nm via the .Fl E flag. .El .Sh FILES .Bl -tag -width /etc/login.conf -compact .It Pa /etc/login.conf file containing authentication types .It Pa /etc/skey directory containing user entries for S/Key .El .Sh SEE ALSO .Xr skey 1 , .Xr skeyinfo 1 .Sh AUTHORS Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller