| SKEYINIT(1) | General Commands Manual | SKEYINIT(1) |
skeyinit — change
password or add user to S/Key authentication system
skeyinit |
[-DErsx]
[-a auth-type]
[-n count]
[-md5 | -rmd160 | -sha1]
[user] |
skeyinit initializes the system so you can
use S/Key one-time passwords to log in. The program will ask you to enter a
secret passphrase which is used by skey(1)
to generate one-time passwords: enter a phrase of several words in response.
After the S/Key database has been updated you can log in using either your
regular password or using S/Key one-time passwords.
skeyinit requires you to type a secret
passphrase, so it should be used only on a secure terminal. For example, on
the console of a workstation or over an encrypted network session. If you
are using skeyinit while logged in over an untrusted
network, follow the instructions given below with the
-s option.
Before initializing an S/Key entry, the user must authenticate
using either a standard password or an S/Key challenge. To use a one-time
password for initial authentication, skeyinit -a
skey can be used. The user will then be presented with the standard
S/Key challenge and allowed to proceed if it is correct.
skeyinit prints a sequence number and a
one-time password. This password can't be used to log in; one-time passwords
should be generated using skey(1) first.
The one-time password printed by skeyinit can be
used to verify if the right passphrase has been given to
skey(1). The one-time password with the
corresponding sequence number printed by
skey(1) should match the one printed by
skeyinit.
The options are as follows:
-a
auth-type-D-D option.-E-E option.-md5
|
-rmd160
|
-sha1-n
countskey sequence at
count (default is 100).-r-s-s option the system will assume you are directly
connected over secure communications and prompt you for your secret
passphrase. The -s option also allows one to set
the seed and count for complete control of the parameters.
When the -s option is specified,
skeyinit will try to authenticate the user via
S/Key, instead of the default listed in
/etc/login.conf. If a user has no entry in the
S/Key database, an alternate authentication type must be specified via
the -a option (see above). Please note that
entering a password or passphrase in plain text defeats the purpose of
using “secure” mode.
You can use skeyinit -s in combination
with the skey command to set the seed and count
if you do not like the defaults. To do this run
skeyinit -s in one window and put in your count
and seed, then run skey(1) in another
window to generate the correct 6 English words for that count and seed.
You can then "cut-and-paste" or type the words into the
skeyinit window.
-x$ skeyinit Password: <enter your regular password here> [Updating user with md5] Old seed: [md5] host12377 Enter new secret passphrase: <type a new passphrase here> Again secret passphrase: <again> ID user skey is otp-md5 100 host12378 Next login password: CITE BREW IDLE CAIN ROD DOME $ otp-md5 -n 3 100 host12378 Enter secret passphrase: <type your passphrase here> 98: WERE TUG EDDY GEAR GILL TEE 99: NEAR HA TILT FIN LONG SNOW 100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence number 99.
skeyinit via
the -E flag.Phil Karn
Neil M. Haller
John S. Walden
Scott Chasin
Todd Miller
| October 9, 2015 | OpenBSD-current |