OpenBSD manual page server

Manual Page Search Parameters

SKEYINIT(1) General Commands Manual SKEYINIT(1)

skeyinitchange password or add user to S/Key authentication system

skeyinit [-DErsx] [-a auth-type] [-n count] [-md5 | -rmd160 | -sha1] [user]

skeyinit initializes the system so you can use S/Key one-time passwords to log in. The program will ask you to enter a secret passphrase which is used by skey(1) to generate one-time passwords: enter a phrase of several words in response. After the S/Key database has been updated, you can log in using either your regular password or using S/Key one-time passwords.

skeyinit requires you to type a secret passphrase, so it should be used only on a secure terminal. For example, on the console of a workstation or over an encrypted network session. If you are using skeyinit while logged in over an untrusted network, follow the instructions given below with the -s option.

Before initializing an S/Key entry, the user must authenticate using either a standard password or an S/Key challenge. To use a one-time password for initial authentication, skeyinit -a skey can be used. The user will then be presented with the standard S/Key challenge and allowed to proceed if it is correct.

skeyinit prints a sequence number and a one-time password. This password can't be used to log in; one-time passwords should be generated using skey(1) first. The one-time password printed by skeyinit can be used to verify if the right passphrase has been given to skey(1). The one-time password with the corresponding sequence number printed by skey(1) should match the one printed by skeyinit.

The options are as follows:

auth-type
Before an S/Key entry can be initialised, the user must authenticate themselves to the system. This option allows the authentication type to be specified, such as “passwd” or “skey”.
Disables access to the S/Key database. Only the superuser may use the -D option.
Enables access to the S/Key database. Only the superuser may use the -E option.
| |
Selects the hash algorithm: MD5, RMD-160 (160-bit Ripe Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).
count
Start the skey sequence at count (default is 100).
Removes the user's S/Key entry.
Secure mode. The user is expected to have already used a secure machine to generate the first one-time password. Without the -s option the system will assume you are directly connected over secure communications and prompt you for your secret passphrase. The -s option also allows one to set the seed and count for complete control of the parameters.

When the -s option is specified, skeyinit will try to authenticate the user via S/Key, instead of the default listed in /etc/login.conf. If a user has no entry in the S/Key database, an alternate authentication type must be specified via the -a option (see above). Entering a password or passphrase in plain text defeats the purpose of using “secure” mode.

You can use skeyinit -s in combination with the skey command to set the seed and count if you do not like the defaults. To do this run skeyinit -s in one window and put in your count and seed, then run skey(1) in another window to generate the correct 6 English words for that count and seed. You can then "cut-and-paste" or type the words into the skeyinit window.

Displays one-time passwords in hexadecimal instead of ASCII.
user
The username to be changed/added. By default the current user is operated on.

/etc/login.conf
file containing authentication types
/etc/skey
directory containing user entries for S/Key

$ skeyinit
Password: <enter your regular password here>
[Updating user with md5]
Old seed: [md5] host12377
Enter new secret passphrase: <type a new passphrase here>
Again secret passphrase: <again>
ID user skey is otp-md5 100 host12378
Next login password: CITE BREW IDLE CAIN ROD DOME
$ otp-md5 -n 3 100 host12378
Enter secret passphrase: <type your passphrase here>
98: WERE TUG EDDY GEAR GILL TEE
99: NEAR HA TILT FIN LONG SNOW
100: CITE BREW IDLE CAIN ROD DOME

The one-time password for the next login will have sequence number 99.

skey disabled
/etc/skey does not exist or is not accessible by the user. The superuser may enable skeyinit via the -E flag.

skey(1), skeyaudit(1), skeyinfo(1), skey(5), skeyprune(8)

Phil Karn
Neil M. Haller
John S. Walden
Scott Chasin
Todd Miller

March 31, 2022 OpenBSD-current