NAME
skeyinit
—
change password or add user to S/Key
authentication system
SYNOPSIS
skeyinit |
[-CDErsx ]
[-a auth-type]
[-n count]
[-md5 | -rmd160 | -sha1 ]
[user] |
DESCRIPTION
skeyinit
initializes the system so you can
use S/Key one-time passwords to log in. The program will ask you to enter a
secret passphrase which is used by
skey(1) to generate one-time passwords: enter a phrase of several
words in response. After the S/Key database has been updated you can log in
using either your regular password or using S/Key one-time passwords.
skeyinit
requires you to type a secret
passphrase, so it should be used only on a secure terminal. For example, on
the console of a workstation or over an encrypted network session. If you
are using skeyinit
while logged in over an untrusted
network, follow the instructions given below with the
-s
option.
Before initializing an S/Key entry, the user must authenticate
using either a standard password or an S/Key challenge. To use a one-time
password for initial authentication, skeyinit -a
skey
can be used. The user will then be presented with the standard
S/Key challenge and allowed to proceed if it is correct.
skeyinit
prints a sequence number and a
one-time password. This password can't be used to log in; one-time passwords
should be generated using
skey(1) first. The one-time password printed by
skeyinit
can be used to verify if the right
passphrase has been given to
skey(1). The one-time password with the corresponding sequence number
printed by skey(1) should match the one printed by
skeyinit
.
The options are as follows:
-a
auth-type- Before an S/Key entry can be initialised, the user must authenticate themselves to the system. This option allows the authentication type to be specified, such as “passwd” or “skey”.
-C
- Converts from the old-style /etc/skeykeys database to a new-style database where user records are stored in the /etc/skey directory. If an entry already exists in the new-style database it will not be overwritten.
-D
- Disables access to the S/Key database. Only the superuser may use the
-D
option. -E
- Enables access to the S/Key database. Only the superuser may use the
-E
option. -md5
|-rmd160
|-sha1
- Selects the hash algorithm: MD5, RMD-160 (160-bit Ripe Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).
-n
count- Start the
skey
sequence at count (default is 100). -r
- Removes the user's S/Key entry.
-s
- Secure mode. The user is expected to have already used a secure machine to
generate the first one-time password. Without the
-s
option the system will assume you are directly connected over secure communications and prompt you for your secret passphrase. The-s
option also allows one to set the seed and count for complete control of the parameters.When the
-s
option is specified,skeyinit
will try to authenticate the user via S/Key, instead of the default listed in /etc/login.conf. If a user has no entry in the S/Key database, an alternate authentication type must be specified via the-a
option (see above). Please note that entering a password or passphrase in plain text defeats the purpose of using “secure” mode.You can use
skeyinit -s
in combination with theskey
command to set the seed and count if you do not like the defaults. To do this runskeyinit -s
in one window and put in your count and seed, then run skey(1) in another window to generate the correct 6 English words for that count and seed. You can then "cut-and-paste" or type the words into theskeyinit
window. -x
- Displays one-time passwords in hexadecimal instead of ASCII.
- user
- The username to be changed/added. By default the current user is operated on.
FILES
- /etc/login.conf
- file containing authentication types
- /etc/skey
- directory containing user entries for S/Key
EXAMPLES
$ skeyinit Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet, hit return now and use skeyinit -s. Password: <enter your regular password here> [Updating user with md5] Old seed: [md5] host12377 Enter new secret passphrase: <type a new passphrase here> Again secret passphrase: <again> ID user skey is otp-md5 100 host12378 Next login password: CITE BREW IDLE CAIN ROD DOME $ otp-md5 -n 3 100 host12378 Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: <type your passphrase here> 98: WERE TUG EDDY GEAR GILL TEE 99: NEAR HA TILT FIN LONG SNOW 100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence number 99.
DIAGNOSTICS
- skey disabled
- /etc/skey does not exist or is not accessible by
the user. The superuser may enable
skeyinit
via the-E
flag.
SEE ALSO
AUTHORS
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller