MirBSD manpage: skeyinit(1)

SKEYINIT(1)                  BSD Reference Manual                  SKEYINIT(1)


     skeyinit - change password or add user to S/Key authentication system


     skeyinit [-CDErsx] [-a auth-type] [-n count] [-md4 | -md5 | -rmd160 |
              -sha1] [user]


     skeyinit initializes the system so you can use S/Key one-time passwords
     to log in. The program will ask you to enter a secret passphrase which is
     used by skey(1) to generate one-time passwords; enter a phrase of several
     words in response. After the S/Key database has been updated you can log
     in using either your regular password or using S/Key one-time passwords.

     skeyinit requires you to type a secret passphrase, so it should be used
     only on a secure terminal. For example, on the console of a workstation
     or over an encrypted network session. If you are using skeyinit while
     logged in over an untrusted network, follow the instructions given below
     with the -s option.

     Before initializing an S/Key entry, the user must authenticate using ei-
     ther a standard password or an S/Key challenge. To use a one-time pass-
     word for initial authentication, the "-a skey" option can be used. The
     user will then be presented with the standard S/Key challenge and allowed
     to proceed if it is correct.

     skeyinit prints a sequence number and a one-time password. This password
     can't be used to log in; one-time passwords should be generated using
     skey(1) first. The one-time password printed by skeyinit can be used to
     verify if the right passphrase has been given to skey(1). The one-time
     password with the corresponding sequence number printed by skey(1) should
     match the one printed by skeyinit.

     The options are as follows:

     -a auth-type
             Specify an authentication type such as "krb5", "passwd", or

     -C      Converts from the old-style /etc/skeykeys database to a new-style
             database where user records are stored in the /etc/skey directo-
             ry. If an entry already exists in the new-style database it will
             not be overwritten.

     -D      Disables access to the S/Key database. Only the superuser may use
             the -D option.

     -E      Enables access to the S/Key database. Only the superuser may use
             the -E option.

     -md4 | -md5 | -rmd160 | -sha1
             Selects the hash algorithm: MD4, MD5, RMD-160 (160-bit Ripe Mes-
             sage Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).

     -n count
             Start the skey sequence at count (default is 100).

     -r      Removes the user's S/Key entry.

     -s      Set secure mode where the user is expected to have used a secure
             machine to generate the first one-time password. Without the -s
             option the system will assume you are directly connected over
             secure communications and prompt you for your secret passphrase.
             The -s option also allows one to set the seed and count for com-
             plete control of the parameters. You can use skeyinit -s in com-
             bination with the skey command to set the seed and count if you
             do not like the defaults. To do this run skeyinit in one window
             and put in your count and seed, then run skey in another window
             to generate the correct 6 English words for that count and seed.
             You can then "cut-and-paste" or type the words into the skeyinit
             window. When the -s option is specified, skeyinit will try to au-
             thenticate the user via S/Key, instead of the default listed in
             /etc/login.conf. If a user has no entry in the S/Key database, an
             alternate authentication type must be specified via the -a op-
             tion. Please note that entering a password or passphrase in plain
             text defeats the purpose of using "secure" mode.

     -x      Displays one-time passwords in hexadecimal instead of ASCII.

     user    The username to be changed/added. By default the current user is
             operated on.


     /etc/login.conf  file containing authentication types
     /etc/skey        directory containing user entries for S/Key


     $ skeyinit
     Reminder - Only use this method if you are directly connected
                or have an encrypted channel.  If you are using telnet,
                hit return now and use skeyinit -s.
     Password: <enter your regular password here>
     [Updating user with md5]
     Old seed: [md5] host12377
     Enter new secret passphrase: <type a new passphrase here>
     Again secret passphrase: <again>
     ID user skey is otp-md5 100 host12378
     Next login password: CITE BREW IDLE CAIN ROD DOME
     $ otp-md5 -n 3 100 host12378
     Reminder - Do not use this program while logged in via telnet.
     Enter secret passphrase: <type your passphrase here>

     The one-time password for the next login will have sequence number 99.


     skey disabled  /etc/skey does not exist or is not accessible by the user.
                    The superuser may enable skeyinit via the -E flag.


     skey(1), skeyaudit(1), skeyinfo(1), skey(5), skeyprune(8)


     Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller

MirBSD #10-current            February 24, 1998                              1

Generated on 2022-12-24 01:00:14 by $MirOS: src/scripts/roff2htm,v 1.113 2022/12/21 23:14:31 tg Exp $ — This product includes material provided by mirabilos.

These manual pages and other documentation are copyrighted by their respective writers; their sources are available at the project’s CVSweb, AnonCVS and other mirrors. The rest is Copyright © 2002–2022 MirBSD.

This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report — diffs preferred.

Kontakt / Impressum & Datenschutzerklärung