1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
.\" $OpenBSD: skeyinit.1,v 1.19 2000/11/09 17:52:39 aaron Exp $
.\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
.\" @(#)skeyinit.1 1.1 10/28/93
.\"
.Dd February 24, 1998
.Dt SKEYINIT 1
.Os
.Sh NAME
.Nm skeyinit
.Nd change password or add user to S/Key authentication system
.Sh SYNOPSIS
.Nm skeyinit
.Op Fl s
.Op Fl z
.Op Fl n Ar count
.Oo
.Fl md4 | Fl md5 | Fl sha1 |
.Fl rmd160
.Oc
.Op Ar user
.Sh DESCRIPTION
.Nm
initializes the system so you can use S/Key one-time passwords to login.
The program will ask you to enter a secret pass phrase;
enter a phrase of several words in response.
After the S/Key database
has been updated you can login using either your regular password
or using S/Key one-time passwords.
.Pp
.Nm
requires you to type a secret password, so it should be used
only on a secure terminal.
For example, on the console of a
workstation or over an encrypted network session.
If you are using
.Nm
while logged in over an untrusted network, follow the instructions
given below with the
.Fl s
option.
.Pp
Before initializing an S/Key entry, the user must authenticate
using either a standard password or an S/Key challenge.
When used over an untrusted network, a password of
.Sq s/key
should be used.
The user will then be presented with the standard
S/Key challenge and allowed to proceed if it is correct.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl x
Displays pass phrase in hexadecimal instead of ASCII.
.It Fl s
Set secure mode where the user is expected to have used a secure
machine to generate the first one-time password.
Without the
.Fl s
option the system will assume you are directly connected over secure
communications and prompt you for your secret password.
The
.Fl s
option also allows one to set the seed and count for complete
control of the parameters.
You can use
.Ic skeyinit -s
in combination with the
.Nm skey
command to set the seed and count if you do not like the defaults.
To do this run
.Nm
in one window and put in your count and seed, then run
.Nm skey
in another window to generate the correct 6 English words for that
count and seed.
You can then "cut-and-paste" or type the words into the
.Nm
window.
.It Fl z
Allows the user to zero their S/Key entry.
.It Fl n Ar count
Start the
.Nm skey
sequence at
.Ar count
(default is 100).
.It Fl md4
Selects MD4 as the hash algorithm.
.It Fl md5
Selects MD5 as the hash algorithm.
.It Fl sha1
Selects SHA (NIST Secure Hash Algorithm Revision 1) as the hash algorithm.
.It Fl rmd160
Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm.
.It Ar user
The username to be changed/added.
By default the current user is operated on.
.El
.Sh ERRORS
.Bl -tag -width "skey disabled"
.It skey disabled
.Pa /etc/skeykeys
does not exist.
It must be created by the superuser in order to use
.Nm skeyinit .
.Sh FILES
.Bl -tag -width /etc/skeykeys
.It Pa /etc/skeykeys
database of information for S/Key system
.Sh SEE ALSO
.Xr skey 1
.Sh AUTHORS
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
|