password or add user to S/Key authentication system
[-md5 | -rmd160 | -sha1]
initializes the system so you can use
S/Key one-time passwords to log in. The program will ask you to enter a secret
passphrase which is used by
to generate one-time
passwords: enter a phrase of several words in response. After the S/Key
database has been updated you can log in using either your regular password or
using S/Key one-time passwords.
requires you to type a secret passphrase,
so it should be used only on a secure terminal. For example, on the console of
a workstation or over an encrypted network session. If you are using
while logged in over an untrusted
network, follow the instructions given below with the
Before initializing an S/Key entry, the user must authenticate using either a
standard password or an S/Key challenge. To use a one-time password for
initial authentication, skeyinit -a skey
used. The user will then be presented with the standard S/Key challenge and
allowed to proceed if it is correct.
prints a sequence number and a one-time
password. This password can't be used to log in; one-time passwords should be
generated using skey(1)
one-time password printed by skeyinit
can be used
to verify if the right passphrase has been given to
. The one-time password
with the corresponding sequence number printed by
should match the one
printed by skeyinit
The options are as follows:
- Before an S/Key entry can be initialised, the user must
authenticate themselves to the system. This option allows the
authentication type to be specified, such as “passwd” or
- Disables access to the S/Key database. Only the superuser
may use the -D option.
- Enables access to the S/Key database. Only the superuser
may use the -E option.
- Selects the hash algorithm: MD5, RMD-160 (160-bit Ripe
Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).
- Start the skey sequence at
count (default is 100).
- Removes the user's S/Key entry.
- Secure mode. The user is expected to have already used a
secure machine to generate the first one-time password. Without the
-s option the system will assume you are
directly connected over secure communications and prompt you for your
secret passphrase. The -s option also allows
one to set the seed and count for complete control of the parameters.
When the -s option is specified,
skeyinit will try to authenticate the user
via S/Key, instead of the default listed in
/etc/login.conf. If a user has no entry in
the S/Key database, an alternate authentication type must be specified via
the -a option (see above). Please note that
entering a password or passphrase in plain text defeats the purpose of
using “secure” mode.
You can use skeyinit -s in combination with the
skey command to set the seed and count if you
do not like the defaults. To do this run skeyinit
-s in one window and put in your count and seed, then run
skey(1) in another window to
generate the correct 6 English words for that count and seed. You can then
"cut-and-paste" or type the words into the
- Displays one-time passwords in hexadecimal instead of
- The username to be changed/added. By default the current
user is operated on.
- file containing authentication types
- directory containing user entries for S/Key
Password: <enter your regular password here>
[Updating user with md5]
Old seed: [md5] host12377
Enter new secret passphrase: <type a new passphrase here>
Again secret passphrase: <again>
ID user skey is otp-md5 100 host12378
Next login password: CITE BREW IDLE CAIN ROD DOME
$ otp-md5 -n 3 100 host12378
Enter secret passphrase: <type your passphrase here>
98: WERE TUG EDDY GEAR GILL TEE
99: NEAR HA TILT FIN LONG SNOW
100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence number 99.
- skey disabled
- /etc/skey does not exist or is
not accessible by the user. The superuser may enable
skeyinit via the
Neil M. Haller
John S. Walden