summaryrefslogtreecommitdiff
path: root/usr.sbin/tokeninit/tokeninit.8
blob: a36d6fed084b5df0c98db8ec3bd6e1b1f281123f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
.\" $OpenBSD: tokeninit.8,v 1.10 2008/07/09 19:58:28 sobrado Exp $
.\"
.\" Copyright (c) 1995 Migration Associates Corporation. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by Berkeley Software Design,
.\"	Inc.
.\" 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
.\"    or promote products derived from this software without specific prior
.\"    written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"	BSDI $From: tokeninit.8,v 1.3 1997/01/16 03:23:11 bostic Exp $
.\"
.Dd $Mdocdate: July 9 2008 $
.Dt TOKENINIT 8
.Os
.Sh NAME
.Nm activinit ,
.Nm cryptoinit ,
.Nm snkinit
.Nd "modify or add user in ActivCard, CRYPTOCard, or SNK-004 authentication system"
.Sh SYNOPSIS
.Nm tokeninit
.Op Fl fhsv
.Op Fl m Ar mode
.Ar user ...
.Sh DESCRIPTION
The
.Nm tokeninit
utility may also be invoked by one of the following names:
.Nm activinit ,
.Nm cryptoinit ,
or
.Nm snkinit .
Depending on the name it was invoked as, it will
initialize the system information to allow one to use the
ActivCard, CRYPTOCard, or SNK-004 digital encryption token to login.
The
.Nm tokeninit
utility is intended for use by the system administrator.
.Pp
Token card systems provide strong user authentication by combining a user's
unique knowledge (a Personal Identification Number) and a physical object
(the token) which the user must have in their possession to login.
The system administrator programs the token with a secret encryption key
which is also stored in the database.
The user programs the token with a PIN.
To discourage exhaustive attempts to guess the PIN,
configuration options permit the token to be programmed
to erase knowledge of the shared secret should the user enter
an excessive number of incorrect PIN entries.
.Pp
The user activates the token by entering their PIN into the token.
After activating the token, the user enters a random number challenge
presented by the host computer into the token.
The challenge is encrypted by the token and a response is displayed.
The user then enters the response at the host computer's prompt,
where it is compared with the anticipated response.
.Pp
Token cards typically support multiple unique encryption keys.
This facility allows a single token to be used for multiple computer
systems, or multiple user instances on the same system.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl f
Force reinitialization of an existing account.
The current shared secret stored in the database will be replaced with
a new shared secret.
The new shared secret must be entered into the token,
replacing the current one.
.It Fl h
Read the shared secret as a 16 digit hexadecimal integer rather than
a sequence of 8 octets.
This is not supported when invoked as
.Nm snkinit .
.It Fl m Ar mode
Specify the input modes allowed for this user.
Possible modes are decimal (dec), hexadecimal (hex), phonebook (phone),
and reduced-input (rim).
Not all modes are available for all types of cards.
Multiple
.Fl m
options may be specified to enable multiple modes.
By default only the hexadecimal mode is enabled, except for the SNK-004
token, which by default only enables the decimal mode.
If an attempt is made to initialize a card with only reduced-input, the
default mode for the card is silently included.
.It Fl s
By default,
.Nm tokeninit
prompts for a shared secret to enter into the authentication database.
The
.Fl s
option generates a 64-bit cryptographically strong key for use in the token.
This shared secret will be saved in the database for the user ID
specified on the command line.
After entering the shared secret into the token, determine that the
checksum computed by the token matches the one displayed by
.Nm tokeninit .
.It Fl v
Enable verbose mode.
.Nm tokeninit
will emit messages on the status of each user ID processed.
.El
.Sh REDUCED-INPUT MODE
Reduced-input mode allows the token to predict the next challenge,
given the current challenge.
This may be used to eliminate the need to enter the challenge to the
token or may also be used with a paper list.
Using a program such as
.Xr x99token 1
many challenges could be precomputed and printed.
This list should be kept secret.
This list can then take the place of an actual token until
the system has issued all the challenges printed.
Challenges are predicted by the following algorithm:
.Bd -unfilled -offset indent
* Encrypt the last challenge with the shared secret key

* AND each byte of the response with 0x0f

* Modulo each byte by 10 (0x0a)

* ADD 0x30 (ASCII value of '0') to each byte
.Ed
.Pp
The resulting 8 bytes are all ASCII decimal digits and are the next challenge.
.Sh FILES
.Bl -tag -width xetcxcrypto.db -compact
.It Pa /etc/activ.db
database of information for ActivCard system
.It Pa /etc/crypto.db
database of information for CRYPTOCard system
.It Pa /etc/snk.db
database of information for SNK-004 system
.El
.Sh DIAGNOSTICS
Diagnostic messages are logged via syslog(3) with the LOG_AUTH facility.
.Sh COMMENTS
A supplier for ActivCard tokens may be obtained by contacting:
.Bd -unfilled -offset indent
ActivCard, Inc.
303 Twin Dolphin Dr., Ste 420
Redwood City, CA 94065
Tel: (415) 654-1700
Fax: (415) 654-1701
.Ed
.Pp
CRYPTOCard tokens may be obtained by contacting:
.Bd -unfilled -offset indent
CRYPTOCard Incorporated
Attn: Wade Clark
1649 Barclay Blvd.
Buffalo Grove, Illinois 60089
Tel: (800) 307-7042 / (708) 459-6500
Fax: (708) 459-6599
<token@cryptocard.com>
.Ed
.Pp
SNK-004 tokens are no longer available for purchase.
.Sh SEE ALSO
.Xr x99token 1 ,
.Xr syslog 3 ,
.Xr login_token 8 ,
.Xr tokenadm 8
.Sh AUTHORS
.An Jack Flory Aq jpf@mig.com
.Sh BUGS
Not all modes of all cards are supported.