[OpenBSD]

Manual Page Search Parameters
SKEYINIT(1) General Commands Manual SKEYINIT(1)

NAME

skeyinitchange password or add user to S/Key authentication system

SYNOPSIS

skeyinit [-DErsx] [-a auth-type] [-n count] [-md5 | -rmd160 | -sha1] [user]

DESCRIPTION

skeyinit initializes the system so you can use S/Key one-time passwords to log in. The program will ask you to enter a secret passphrase which is used by skey(1) to generate one-time passwords: enter a phrase of several words in response. After the S/Key database has been updated you can log in using either your regular password or using S/Key one-time passwords.
skeyinit requires you to type a secret passphrase, so it should be used only on a secure terminal. For example, on the console of a workstation or over an encrypted network session. If you are using skeyinit while logged in over an untrusted network, follow the instructions given below with the -s option.
Before initializing an S/Key entry, the user must authenticate using either a standard password or an S/Key challenge. To use a one-time password for initial authentication, skeyinit -a skey can be used. The user will then be presented with the standard S/Key challenge and allowed to proceed if it is correct.
skeyinit prints a sequence number and a one-time password. This password can't be used to log in; one-time passwords should be generated using skey(1) first. The one-time password printed by skeyinit can be used to verify if the right passphrase has been given to skey(1). The one-time password with the corresponding sequence number printed by skey(1) should match the one printed by skeyinit.
The options are as follows:
 
 
-a auth-type
Before an S/Key entry can be initialised, the user must authenticate themselves to the system. This option allows the authentication type to be specified, such as “passwd” or “skey”.
 
 
-D
Disables access to the S/Key database. Only the superuser may use the -D option.
 
 
-E
Enables access to the S/Key database. Only the superuser may use the -E option.
 
 
-md5 | -rmd160 | -sha1
Selects the hash algorithm: MD5, RMD-160 (160-bit Ripe Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).
 
 
-n count
Start the skey sequence at count (default is 100).
 
 
-r
Removes the user's S/Key entry.
 
 
-s
Secure mode. The user is expected to have already used a secure machine to generate the first one-time password. Without the -s option the system will assume you are directly connected over secure communications and prompt you for your secret passphrase. The -s option also allows one to set the seed and count for complete control of the parameters.
When the -s option is specified, skeyinit will try to authenticate the user via S/Key, instead of the default listed in /etc/login.conf. If a user has no entry in the S/Key database, an alternate authentication type must be specified via the -a option (see above). Please note that entering a password or passphrase in plain text defeats the purpose of using “secure” mode.
You can use skeyinit -s in combination with the skey command to set the seed and count if you do not like the defaults. To do this run skeyinit -s in one window and put in your count and seed, then run skey(1) in another window to generate the correct 6 English words for that count and seed. You can then "cut-and-paste" or type the words into the skeyinit window.
 
 
-x
Displays one-time passwords in hexadecimal instead of ASCII.
 
 
user
The username to be changed/added. By default the current user is operated on.

FILES

/etc/login.conf
file containing authentication types
/etc/skey
directory containing user entries for S/Key

EXAMPLES

$ skeyinit 
Password: <enter your regular password here> 
[Updating user with md5] 
Old seed: [md5] host12377 
Enter new secret passphrase: <type a new passphrase here> 
Again secret passphrase: <again> 
ID user skey is otp-md5 100 host12378 
Next login password: CITE BREW IDLE CAIN ROD DOME 
$ otp-md5 -n 3 100 host12378 
Enter secret passphrase: <type your passphrase here> 
98: WERE TUG EDDY GEAR GILL TEE 
99: NEAR HA TILT FIN LONG SNOW 
100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence number 99.

DIAGNOSTICS

skey disabled
/etc/skey does not exist or is not accessible by the user. The superuser may enable skeyinit via the -E flag.

SEE ALSO

skey(1), skeyaudit(1), skeyinfo(1), skey(5), skeyprune(8)

AUTHORS

Phil Karn
Neil M. Haller
John S. Walden
Scott Chasin
Todd Miller
October 9, 2015 OpenBSD-current