1.\" $OpenBSD: skeyinit.1,v 1.35 2011/04/23 10:14:59 sobrado Exp $ 2.\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $ 3.\" @(#)skeyinit.1 1.1 10/28/93 4.\" 5.Dd $Mdocdate: April 23 2011 $ 6.Dt SKEYINIT 1 7.Os 8.Sh NAME 9.Nm skeyinit 10.Nd change password or add user to S/Key authentication system 11.Sh SYNOPSIS 12.Nm skeyinit 13.Bk -words 14.Op Fl CDErsx 15.Op Fl a Ar auth-type 16.Op Fl n Ar count 17.Op Fl md4 | md5 | rmd160 | sha1 18.Op Ar user 19.Ek 20.Sh DESCRIPTION 21.Nm 22initializes the system so you can use S/Key one-time passwords to log in. 23The program will ask you to enter a secret passphrase which is used by 24.Xr skey 1 25to generate one-time passwords: 26enter a phrase of several words in response. 27After the S/Key database 28has been updated you can log in using either your regular password 29or using S/Key one-time passwords. 30.Pp 31.Nm 32requires you to type a secret passphrase, so it should be used 33only on a secure terminal. 34For example, on the console of a 35workstation or over an encrypted network session. 36If you are using 37.Nm 38while logged in over an untrusted network, follow the instructions 39given below with the 40.Fl s 41option. 42.Pp 43Before initializing an S/Key entry, the user must authenticate 44using either a standard password or an S/Key challenge. 45To use a one-time password for initial authentication, 46.Ic skeyinit -a skey 47can be used. 48The user will then be presented with the standard 49S/Key challenge and allowed to proceed if it is correct. 50.Pp 51.Nm 52prints a sequence number and a one-time password. 53This password can't be used to log in; one-time passwords should be 54generated using 55.Xr skey 1 56first. 57The one-time password printed by 58.Nm 59can be used to verify if the right passphrase has been given to 60.Xr skey 1 . 61The one-time password with the corresponding sequence number printed by 62.Xr skey 1 63should match the one printed by 64.Nm . 65.Pp 66The options are as follows: 67.Bl -tag -width Ds 68.It Fl a Ar auth-type 69Before an S/Key entry can be initialised, 70the user must authenticate themselves to the system. 71This option allows the authentication type to be specified, such as 72.Dq krb5 , 73.Dq passwd , 74or 75.Dq skey . 76.It Fl C 77Converts from the old-style 78.Pa /etc/skeykeys 79database to a new-style database where user records are stored in the 80.Pa /etc/skey 81directory. 82If an entry already exists in the new-style database it will not 83be overwritten. 84.It Fl D 85Disables access to the S/Key database. 86Only the superuser may use the 87.Fl D 88option. 89.It Fl E 90Enables access to the S/Key database. 91Only the superuser may use the 92.Fl E 93option. 94.It Fl md4 | md5 | rmd160 | sha1 95Selects the hash algorithm: 96MD4, MD5, RMD-160 (160-bit Ripe Message Digest), 97or SHA1 (NIST Secure Hash Algorithm Revision 1). 98.It Fl n Ar count 99Start the 100.Nm skey 101sequence at 102.Ar count 103(default is 100). 104.It Fl r 105Removes the user's S/Key entry. 106.It Fl s 107Secure mode. 108The user is expected to have already used a secure 109machine to generate the first one-time password. 110Without the 111.Fl s 112option the system will assume you are directly connected over secure 113communications and prompt you for your secret passphrase. 114The 115.Fl s 116option also allows one to set the seed and count for complete 117control of the parameters. 118.Pp 119When the 120.Fl s 121option is specified, 122.Nm 123will try to authenticate the user via S/Key, instead of the default listed in 124.Pa /etc/login.conf . 125If a user has no entry in the S/Key database, an alternate authentication 126type must be specified via the 127.Fl a 128option 129(see above). 130Please note that entering a password or passphrase in plain text 131defeats the purpose of using 132.Dq secure 133mode. 134.Pp 135You can use 136.Ic skeyinit -s 137in combination with the 138.Nm skey 139command to set the seed and count if you do not like the defaults. 140To do this run 141.Ic skeyinit -s 142in one window and put in your count and seed, then run 143.Xr skey 1 144in another window to generate the correct 6 English words for that 145count and seed. 146You can then "cut-and-paste" or type the words into the 147.Nm 148window. 149.It Fl x 150Displays one-time passwords in hexadecimal instead of ASCII. 151.It Ar user 152The username to be changed/added. 153By default the current user is operated on. 154.El 155.Sh FILES 156.Bl -tag -width /etc/login.conf -compact 157.It Pa /etc/login.conf 158file containing authentication types 159.It Pa /etc/skey 160directory containing user entries for S/Key 161.El 162.Sh EXAMPLES 163.Bd -literal 164$ skeyinit 165Reminder - Only use this method if you are directly connected 166 or have an encrypted channel. If you are using telnet, 167 hit return now and use skeyinit -s. 168Password: \*(Ltenter your regular password here\*(Gt 169[Updating user with md5] 170Old seed: [md5] host12377 171Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt 172Again secret passphrase: \*(Ltagain\*(Gt 173ID user skey is otp-md5 100 host12378 174Next login password: CITE BREW IDLE CAIN ROD DOME 175$ otp-md5 -n 3 100 host12378 176Reminder - Do not use this program while logged in via telnet. 177Enter secret passphrase: \*(Lttype your passphrase here\*(Gt 17898: WERE TUG EDDY GEAR GILL TEE 17999: NEAR HA TILT FIN LONG SNOW 180100: CITE BREW IDLE CAIN ROD DOME 181.Ed 182.Pp 183The one-time password for the next login will have sequence number 99. 184.Sh ERRORS 185.Bl -tag -compact -width "skey disabled" 186.It "skey disabled" 187.Pa /etc/skey 188does not exist or is not accessible by the user. 189The superuser may enable 190.Nm 191via the 192.Fl E 193flag. 194.El 195.Sh SEE ALSO 196.Xr skey 1 , 197.Xr skeyaudit 1 , 198.Xr skeyinfo 1 , 199.Xr skey 5 , 200.Xr skeyprune 8 201.Sh AUTHORS 202Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller 203