1.\" $OpenBSD: skeyinit.1,v 1.43 2022/03/31 17:27:27 naddy Exp $ 2.\" $NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $ 3.\" @(#)skeyinit.1 1.1 10/28/93 4.\" 5.Dd $Mdocdate: March 31 2022 $ 6.Dt SKEYINIT 1 7.Os 8.Sh NAME 9.Nm skeyinit 10.Nd change password or add user to S/Key authentication system 11.Sh SYNOPSIS 12.Nm skeyinit 13.Bk -words 14.Op Fl DErsx 15.Op Fl a Ar auth-type 16.Op Fl n Ar count 17.Op Fl md5 | rmd160 | sha1 18.Op Ar user 19.Ek 20.Sh DESCRIPTION 21.Nm 22initializes the system so you can use S/Key one-time passwords to log in. 23The program will ask you to enter a secret passphrase which is used by 24.Xr skey 1 25to generate one-time passwords: 26enter a phrase of several words in response. 27After the S/Key database 28has been updated, you can log in using either your regular password 29or using S/Key one-time passwords. 30.Pp 31.Nm 32requires you to type a secret passphrase, so it should be used 33only on a secure terminal. 34For example, on the console of a 35workstation or over an encrypted network session. 36If you are using 37.Nm 38while logged in over an untrusted network, follow the instructions 39given below with the 40.Fl s 41option. 42.Pp 43Before initializing an S/Key entry, the user must authenticate 44using either a standard password or an S/Key challenge. 45To use a one-time password for initial authentication, 46.Ic skeyinit -a skey 47can be used. 48The user will then be presented with the standard 49S/Key challenge and allowed to proceed if it is correct. 50.Pp 51.Nm 52prints a sequence number and a one-time password. 53This password can't be used to log in; one-time passwords should be 54generated using 55.Xr skey 1 56first. 57The one-time password printed by 58.Nm 59can be used to verify if the right passphrase has been given to 60.Xr skey 1 . 61The one-time password with the corresponding sequence number printed by 62.Xr skey 1 63should match the one printed by 64.Nm . 65.Pp 66The options are as follows: 67.Bl -tag -width Ds 68.It Fl a Ar auth-type 69Before an S/Key entry can be initialised, 70the user must authenticate themselves to the system. 71This option allows the authentication type to be specified, such as 72.Dq passwd 73or 74.Dq skey . 75.It Fl D 76Disables access to the S/Key database. 77Only the superuser may use the 78.Fl D 79option. 80.It Fl E 81Enables access to the S/Key database. 82Only the superuser may use the 83.Fl E 84option. 85.It Fl md5 | rmd160 | sha1 86Selects the hash algorithm: 87MD5, RMD-160 (160-bit Ripe Message Digest), 88or SHA1 (NIST Secure Hash Algorithm Revision 1). 89.It Fl n Ar count 90Start the 91.Nm skey 92sequence at 93.Ar count 94(default is 100). 95.It Fl r 96Removes the user's S/Key entry. 97.It Fl s 98Secure mode. 99The user is expected to have already used a secure 100machine to generate the first one-time password. 101Without the 102.Fl s 103option the system will assume you are directly connected over secure 104communications and prompt you for your secret passphrase. 105The 106.Fl s 107option also allows one to set the seed and count for complete 108control of the parameters. 109.Pp 110When the 111.Fl s 112option is specified, 113.Nm 114will try to authenticate the user via S/Key, instead of the default listed in 115.Pa /etc/login.conf . 116If a user has no entry in the S/Key database, an alternate authentication 117type must be specified via the 118.Fl a 119option 120(see above). 121Entering a password or passphrase in plain text 122defeats the purpose of using 123.Dq secure 124mode. 125.Pp 126You can use 127.Ic skeyinit -s 128in combination with the 129.Nm skey 130command to set the seed and count if you do not like the defaults. 131To do this run 132.Ic skeyinit -s 133in one window and put in your count and seed, then run 134.Xr skey 1 135in another window to generate the correct 6 English words for that 136count and seed. 137You can then "cut-and-paste" or type the words into the 138.Nm 139window. 140.It Fl x 141Displays one-time passwords in hexadecimal instead of ASCII. 142.It Ar user 143The username to be changed/added. 144By default the current user is operated on. 145.El 146.Sh FILES 147.Bl -tag -width /etc/login.conf -compact 148.It Pa /etc/login.conf 149file containing authentication types 150.It Pa /etc/skey 151directory containing user entries for S/Key 152.El 153.Sh EXAMPLES 154.Bd -literal 155$ skeyinit 156Password: \*(Ltenter your regular password here\*(Gt 157[Updating user with md5] 158Old seed: [md5] host12377 159Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt 160Again secret passphrase: \*(Ltagain\*(Gt 161ID user skey is otp-md5 100 host12378 162Next login password: CITE BREW IDLE CAIN ROD DOME 163$ otp-md5 -n 3 100 host12378 164Enter secret passphrase: \*(Lttype your passphrase here\*(Gt 16598: WERE TUG EDDY GEAR GILL TEE 16699: NEAR HA TILT FIN LONG SNOW 167100: CITE BREW IDLE CAIN ROD DOME 168.Ed 169.Pp 170The one-time password for the next login will have sequence number 99. 171.Sh DIAGNOSTICS 172.Bl -tag -compact -width "skey disabled" 173.It "skey disabled" 174.Pa /etc/skey 175does not exist or is not accessible by the user. 176The superuser may enable 177.Nm 178via the 179.Fl E 180flag. 181.El 182.Sh SEE ALSO 183.Xr skey 1 , 184.Xr skeyaudit 1 , 185.Xr skeyinfo 1 , 186.Xr skey 5 , 187.Xr skeyprune 8 188.Sh AUTHORS 189.An Phil Karn 190.An Neil M. Haller 191.An John S. Walden 192.An Scott Chasin 193.An Todd Miller 194