|SKEYINIT(1)||General Commands Manual||SKEYINIT(1)|
skeyinitinitializes the system so you can use S/Key one-time passwords to log in. The program will ask you to enter a secret passphrase which is used by skey(1) to generate one-time passwords: enter a phrase of several words in response. After the S/Key database has been updated you can log in using either your regular password or using S/Key one-time passwords.
skeyinitrequires you to type a secret passphrase, so it should be used only on a secure terminal. For example, on the console of a workstation or over an encrypted network session. If you are using
skeyinitwhile logged in over an untrusted network, follow the instructions given below with the
-soption. Before initializing an S/Key entry, the user must authenticate using either a standard password or an S/Key challenge. To use a one-time password for initial authentication,
skeyinit -a skeycan be used. The user will then be presented with the standard S/Key challenge and allowed to proceed if it is correct.
skeyinitprints a sequence number and a one-time password. This password can't be used to log in; one-time passwords should be generated using skey(1) first. The one-time password printed by
skeyinitcan be used to verify if the right passphrase has been given to skey(1). The one-time password with the corresponding sequence number printed by skey(1) should match the one printed by
skeyinit. The options are as follows:
skeysequence at count (default is 100).
-soption the system will assume you are directly connected over secure communications and prompt you for your secret passphrase. The
-soption also allows one to set the seed and count for complete control of the parameters. When the
-soption is specified,
skeyinitwill try to authenticate the user via S/Key, instead of the default listed in /etc/login.conf. If a user has no entry in the S/Key database, an alternate authentication type must be specified via the
-aoption (see above). Please note that entering a password or passphrase in plain text defeats the purpose of using “secure” mode. You can use
skeyinit -sin combination with the
skeycommand to set the seed and count if you do not like the defaults. To do this run
skeyinit -sin one window and put in your count and seed, then run skey(1) in another window to generate the correct 6 English words for that count and seed. You can then "cut-and-paste" or type the words into the
$ skeyinit Password: <enter your regular password here> [Updating user with md5] Old seed: [md5] host12377 Enter new secret passphrase: <type a new passphrase here> Again secret passphrase: <again> ID user skey is otp-md5 100 host12378 Next login password: CITE BREW IDLE CAIN ROD DOME $ otp-md5 -n 3 100 host12378 Enter secret passphrase: <type your passphrase here> 98: WERE TUG EDDY GEAR GILL TEE 99: NEAR HA TILT FIN LONG SNOW 100: CITE BREW IDLE CAIN ROD DOME
|October 9, 2015||OpenBSD-current|