1.\" $OpenBSD: tokeninit.8,v 1.14 2022/02/19 10:17:39 jsg Exp $ 2.\" 3.\" Copyright (c) 1995 Migration Associates Corporation. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" BSDI $From: tokeninit.8,v 1.3 1997/01/16 03:23:11 bostic Exp $ 34.\" 35.Dd $Mdocdate: February 19 2022 $ 36.Dt TOKENINIT 8 37.Os 38.Sh NAME 39.Nm activinit , 40.Nm cryptoinit , 41.Nm snkinit 42.Nd modify or add user in ActivCard, CRYPTOCard, or SNK-004 authentication system 43.Sh SYNOPSIS 44.Nm tokeninit 45.Op Fl fhsv 46.Op Fl m Ar mode 47.Ar user ... 48.Sh DESCRIPTION 49The 50.Nm tokeninit 51utility may also be invoked by one of the following names: 52.Nm activinit , 53.Nm cryptoinit , 54or 55.Nm snkinit . 56Depending on the name it was invoked as, it will 57initialize the system information to allow one to use the 58ActivCard, CRYPTOCard, or SNK-004 digital encryption token to login. 59The 60.Nm tokeninit 61utility is intended for use by the system administrator. 62.Pp 63Token card systems provide strong user authentication by combining a user's 64unique knowledge (a Personal Identification Number) and a physical object 65(the token) which the user must have in their possession to login. 66The system administrator programs the token with a secret encryption key 67which is also stored in the database. 68The user programs the token with a PIN. 69To discourage exhaustive attempts to guess the PIN, 70configuration options permit the token to be programmed 71to erase knowledge of the shared secret should the user enter 72an excessive number of incorrect PIN entries. 73.Pp 74The user activates the token by entering their PIN into the token. 75After activating the token, the user enters a random number challenge 76presented by the host computer into the token. 77The challenge is encrypted by the token and a response is displayed. 78The user then enters the response at the host computer's prompt, 79where it is compared with the anticipated response. 80.Pp 81Token cards typically support multiple unique encryption keys. 82This facility allows a single token to be used for multiple computer 83systems, or multiple user instances on the same system. 84.Pp 85The options are as follows: 86.Bl -tag -width Ds 87.It Fl f 88Force reinitialization of an existing account. 89The current shared secret stored in the database will be replaced with 90a new shared secret. 91The new shared secret must be entered into the token, 92replacing the current one. 93.It Fl h 94Read the shared secret as a 16 digit hexadecimal integer rather than 95a sequence of 8 octets. 96This is not supported when invoked as 97.Nm snkinit . 98.It Fl m Ar mode 99Specify the input modes allowed for this user. 100Possible modes are decimal (dec), hexadecimal (hex), phonebook (phone), 101and reduced-input (rim). 102Not all modes are available for all types of cards. 103Multiple 104.Fl m 105options may be specified to enable multiple modes. 106By default only the hexadecimal mode is enabled, except for the SNK-004 107token, which by default only enables the decimal mode. 108If an attempt is made to initialize a card with only reduced-input, the 109default mode for the card is silently included. 110.It Fl s 111By default, 112.Nm tokeninit 113prompts for a shared secret to enter into the authentication database. 114The 115.Fl s 116option generates a 64-bit cryptographically strong key for use in the token. 117This shared secret will be saved in the database for the user ID 118specified on the command line. 119After entering the shared secret into the token, determine that the 120checksum computed by the token matches the one displayed by 121.Nm tokeninit . 122.It Fl v 123Enable verbose mode. 124.Nm tokeninit 125will emit messages on the status of each user ID processed. 126.El 127.Sh REDUCED-INPUT MODE 128Reduced-input mode allows the token to predict the next challenge, 129given the current challenge. 130This may be used to eliminate the need to enter the challenge to the 131token or may also be used with a paper list. 132Using a program such as 133.Xr x99token 1 134many challenges could be precomputed and printed. 135This list should be kept secret. 136This list can then take the place of an actual token until 137the system has issued all the challenges printed. 138Challenges are predicted by the following algorithm: 139.Bd -unfilled -offset indent 140* Encrypt the last challenge with the shared secret key 141 142* AND each byte of the response with 0x0f 143 144* Modulo each byte by 10 (0x0a) 145 146* ADD 0x30 (ASCII value of '0') to each byte 147.Ed 148.Pp 149The resulting 8 bytes are all ASCII decimal digits and are the next challenge. 150.Sh FILES 151.Bl -tag -width xetcxcrypto.db -compact 152.It Pa /etc/activ.db 153database of information for ActivCard system 154.It Pa /etc/crypto.db 155database of information for CRYPTOCard system 156.It Pa /etc/snk.db 157database of information for SNK-004 system 158.El 159.Sh DIAGNOSTICS 160Diagnostic messages are logged via 161.Xr syslog 3 162with the LOG_AUTH facility. 163.Sh SEE ALSO 164.Xr x99token 1 , 165.Xr syslog 3 , 166.Xr login_token 8 , 167.Xr tokenadm 8 168.Sh AUTHORS 169.An Jack Flory Aq Mt jpf@mig.com 170.Sh BUGS 171Not all modes of all cards are supported. 172