summaryrefslogtreecommitdiff
path: root/usr.bin/skeyinit/skeyinit.1
blob: d4cef334301e97884a59b1a4dd2acbae2f92bac4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
.\"	$OpenBSD: skeyinit.1,v 1.28 2004/06/06 11:23:25 otto Exp $
.\"	$NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
.\"	@(#)skeyinit.1	1.1 	10/28/93
.\"
.Dd February 24, 1998
.Dt SKEYINIT 1
.Os
.Sh NAME
.Nm skeyinit
.Nd change password or add user to S/Key authentication system
.Sh SYNOPSIS
.Nm skeyinit
.Op Fl r
.Op Fl s
.Op Fl x
.Op Fl C
.Op Fl D
.Op Fl E
.Op Fl a Ar auth-type
.Op Fl n Ar count
.Oo
.Fl md4 | Fl md5 | Fl sha1 |
.Fl rmd160
.Oc
.Op Ar user
.Sh DESCRIPTION
.Nm
initializes the system so you can use S/Key one-time passwords to login.
The program will ask you to enter a secret passphrase which is used by
.Xr skey 1
to generate one-time passwords;
enter a phrase of several words in response.
After the S/Key database
has been updated you can login using either your regular password
or using S/Key one-time passwords.
.Pp
.Nm
requires you to type a secret passphrase, so it should be used
only on a secure terminal.
For example, on the console of a
workstation or over an encrypted network session.
If you are using
.Nm
while logged in over an untrusted network, follow the instructions
given below with the
.Fl s
option.
.Pp
Before initializing an S/Key entry, the user must authenticate
using either a standard password or an S/Key challenge.
When used over an untrusted network, a password of
.Sq s/key
should be used.
The user will then be presented with the standard
S/Key challenge and allowed to proceed if it is correct.
.Pp
.Nm 
prints a sequence number and a one-time password.
This password can not be used to log in; one-time passwords should be
generated using
.Xr skey 1
first.
The one-time password printed by
.Nm
can be used to verify if the right passphrase has been given to
.Xr skey 1 .
The one-time password with the corresponding sequence number printed by
.Xr skey 1
should match the one printed by
.Nm .
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl C
Converts from the old-style
.Pa /etc/skeykeys
database to a new-style database where user records are stored in the
.Pa /etc/skey
directory.
If an entry already exists in the new-style database it will not
be overwritten.
.It Fl D
Disables access to the S/Key database.
Only the superuser may use the
.Fl D
option.
.It Fl E
Enables access to the S/Key database.
Only the superuser may use the
.Fl E
option.
.It Fl r
Removes the user's S/Key entry.
.It Fl s
Set secure mode where the user is expected to have used a secure
machine to generate the first one-time password.
Without the
.Fl s
option the system will assume you are directly connected over secure
communications and prompt you for your secret passphrase.
The
.Fl s
option also allows one to set the seed and count for complete
control of the parameters.
You can use
.Ic skeyinit -s
in combination with the
.Nm skey
command to set the seed and count if you do not like the defaults.
To do this run
.Nm
in one window and put in your count and seed, then run
.Nm skey
in another window to generate the correct 6 English words for that
count and seed.
You can then "cut-and-paste" or type the words into the
.Nm
window.
When the
.Fl s
option is specified,
.Nm
will try to authenticate the user via S/Key, instead of the default listed in
.Pa /etc/login.conf .
If a user has no entry in the S/Key database, an alternate authentication
type must be specified via the
.Fl a
option.
Please note that entering a password or passphrase in plain text
defeats the purpose of using
.Dq secure
mode.
.It Fl x
Displays one-time password in hexadecimal instead of ASCII.
.It Fl a Ar auth-type
Specify an authentication type such as
.Dq krb5
or
.Dq passwd .
.It Fl n Ar count
Start the
.Nm skey
sequence at
.Ar count
(default is 100).
.It Fl md4
Selects MD4 as the hash algorithm.
.It Fl md5
Selects MD5 as the hash algorithm.
.It Fl sha1
Selects SHA (NIST Secure Hash Algorithm Revision 1) as the hash algorithm.
.It Fl rmd160
Selects RMD-160 (160 bit Ripe Message Digest) as the hash algorithm.
.It Ar user
The username to be changed/added.
By default the current user is operated on.
.El
.Sh FILES
.Bl -tag -width /etc/login.conf -compact
.It Pa /etc/login.conf
file containing authentication types
.It Pa /etc/skey
directory containing user entries for S/Key
.El
.Sh EXAMPLES
.Bd -literal
    $ skeyinit
    Reminder - Only use this method if you are directly connected
               or have an encrypted channel.  If you are using telnet,
               hit return now and use skeyinit -s.
    Password: <enter your regular password here>
    [Updating user with md5]
    Old seed: [md5] host12377
    Enter new secret passphrase: <type a new passphrase here>
    Again secret passphrase: <again>
    ID user skey is otp-md5 100 host12378
    Next login password: CITE BREW IDLE CAIN ROD DOME
    $ otp-md5 -n 3 100 host12378
    Reminder - Do not use this program while logged in via telnet.
    Enter secret passphrase: <type your passphrase here>
    98: WERE TUG EDDY GEAR GILL TEE  
    99: NEAR HA TILT FIN LONG SNOW   
    100: CITE BREW IDLE CAIN ROD DOME
.Ed
.Pp
The one-time password for the next login will have sequence number 99.
.Sh ERRORS
.Bl -tag -compact -width "skey disabled"
.It "skey disabled"
.Pa /etc/skey
does not exist or is not accessible by the user.
The superuser may enable
.Nm
via the
.Fl E
flag.
.El
.Sh SEE ALSO
.Xr skey 1 ,
.Xr skeyaudit 1 ,
.Xr skeyinfo 1 ,
.Xr skeyprune 1
.Sh AUTHORS
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller