skeyinit - change password or add user to S/Key authentication system
skeyinit [-r] [-s] [-x] [-C] [-D] [-E] [-a auth-type] [-n
count] [-md4 |
-md5 | -sha1 | -rmd160] [user]
skeyinit initializes the system so you can use S/Key onetime passwords
to log in. The program will ask you to enter a secret
is used by skey(1) to generate one-time passwords; enter a
phrase of several
words in response. After the S/Key database has been
can log in using either your regular password or using S/Key
skeyinit requires you to type a secret passphrase, so it
should be used
only on a secure terminal. For example, on the console of a
or over an encrypted network session. If you are using
logged in over an untrusted network, follow the instructions
with the -s option.
Before initializing an S/Key entry, the user must authenticate using either
a standard password or an S/Key challenge. To use a
for initial authentication, the ``-a skey'' option can
be used. The
user will then be presented with the standard S/Key challenge and allowed
to proceed if it is correct.
skeyinit prints a sequence number and a one-time password.
can not be used to log in; one-time passwords should be generated using
skey(1) first. The one-time password printed by skeyinit
can be used to
verify if the right passphrase has been given to skey(1).
password with the corresponding sequence number printed by
match the one printed by skeyinit.
The options are as follows:
-C Converts from the old-style /etc/skeykeys database
to a new-style
database where user records are stored in the
If an entry already exists in the new-style
database it will
not be overwritten.
-D Disables access to the S/Key database. Only the superuser may
use the -D option.
-E Enables access to the S/Key database. Only the superuser may use
the -E option.
-r Removes the user's S/Key entry.
-s Set secure mode where the user is expected to have
used a secure
machine to generate the first one-time password.
Without the -s
option the system will assume you are directly connected over secure
communications and prompt you for your secret
The -s option also allows one to set the seed and
count for complete
control of the parameters. You can use
skeyinit -s in combination
with the skey command to set the seed and
count if you
do not like the defaults. To do this run skeyinit
in one window
and put in your count and seed, then run skey in another window
to generate the correct 6 English words for that
count and seed.
You can then "cut-and-paste" or type the words into
window. When the -s option is specified, skeyinit
will try to
authenticate the user via S/Key, instead of the default listed in
/etc/login.conf. If a user has no entry in the
an alternate authentication type must be specified
via the -a option.
Please note that entering a password or
plain text defeats the purpose of using ``secure''
-x Displays one-time password in hexadecimal instead of
Specify an authentication type such as ``krb5'',
Start the skey sequence at count (default is 100).
-md4 Selects MD4 as the hash algorithm.
-md5 Selects MD5 as the hash algorithm.
-sha1 Selects SHA (NIST Secure Hash Algorithm Revision 1)
as the hash
Selects RMD-160 (160 bit Ripe Message Digest) as the
user The username to be changed/added. By default the
current user is
/etc/login.conf file containing authentication types
/etc/skey directory containing user entries for S/Key
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using
hit return now and use skeyinit -s.
Password: <enter your regular password here>
[Updating user with md5]
Old seed: [md5] host12377
Enter new secret passphrase: <type a new passphrase here>
Again secret passphrase: <again>
ID user skey is otp-md5 100 host12378
Next login password: CITE BREW IDLE CAIN ROD DOME
$ otp-md5 -n 3 100 host12378
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase: <type your passphrase here>
98: WERE TUG EDDY GEAR GILL TEE
99: NEAR HA TILT FIN LONG SNOW
100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence
skey disabled /etc/skey does not exist or is not accessible
by the user.
The superuser may enable skeyinit via the -E
skey(1), skeyaudit(1), skeyinfo(1), skeyprune(8)
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin,
OpenBSD 3.6 February 24, 1998
[ Back ]