*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> skeyinit (1)              



NAME    [Toc]    [Back]

     skeyinit - change password or add user to S/Key  authentication system

SYNOPSIS    [Toc]    [Back]

     skeyinit  [-r]  [-s]  [-x] [-C] [-D] [-E] [-a auth-type] [-n
count] [-md4 |
              -md5 | -sha1 | -rmd160] [user]

DESCRIPTION    [Toc]    [Back]

     skeyinit initializes the system so you can  use  S/Key  onetime passwords
     to  log  in.   The  program  will  ask you to enter a secret
passphrase which
     is used by skey(1) to generate one-time passwords;  enter  a
phrase of several
  words  in response.  After the S/Key database has been
updated you
     can log in using either your regular password or using S/Key

     skeyinit  requires  you  to  type a secret passphrase, so it
should be used
     only on a secure terminal.  For example, on the console of a
     or  over  an  encrypted  network  session.  If you are using
skeyinit while
     logged in over an untrusted network, follow the instructions
given below
     with the -s option.

     Before  initializing an S/Key entry, the user must authenticate using either
 a standard password or an S/Key challenge.   To  use  a
one-time password
  for initial authentication, the ``-a skey'' option can
be used.  The
     user will then be presented with the  standard  S/Key  challenge and allowed
     to proceed if it is correct.

     skeyinit  prints  a sequence number and a one-time password.
This password
     can not be used to log in; one-time passwords should be generated using
     skey(1)  first.   The  one-time password printed by skeyinit
can be used to
     verify if the right passphrase has been  given  to  skey(1).
The one-time
     password  with  the corresponding sequence number printed by
skey(1) should
     match the one printed by skeyinit.

     The options are as follows:

     -C      Converts from the old-style  /etc/skeykeys  database
to a new-style
             database  where  user  records  are  stored  in  the
/etc/skey directory.
  If an entry already  exists  in  the  new-style
database it will
             not be overwritten.

     -D      Disables access to the S/Key database.  Only the superuser may
             use the -D option.

     -E      Enables access to the S/Key database.  Only the  superuser may use
             the -E option.

     -r      Removes the user's S/Key entry.

     -s       Set  secure mode where the user is expected to have
used a secure
             machine to generate  the  first  one-time  password.
Without the -s
             option  the system will assume you are directly connected over secure
 communications and prompt you for  your  secret
             The  -s  option  also allows one to set the seed and
count for complete
  control  of  the  parameters.   You  can  use
skeyinit -s in combination
  with  the skey command to set the seed and
count if you
             do not like the defaults.  To do this  run  skeyinit
in one window
             and put in your count and seed, then run skey in another window
             to generate the correct 6  English  words  for  that
count and seed.
             You  can then "cut-and-paste" or type the words into
the skeyinit
             window.  When the -s option is  specified,  skeyinit
will try to
             authenticate  the user via S/Key, instead of the default listed in
             /etc/login.conf.  If a user  has  no  entry  in  the
S/Key database,
             an  alternate  authentication type must be specified
via the -a option.
  Please  note  that  entering  a  password  or
passphrase in
             plain  text  defeats the purpose of using ``secure''

     -x      Displays one-time password in hexadecimal instead of

     -a auth-type
             Specify  an  authentication  type  such as ``krb5'',
``passwd'' or

     -n count
             Start the skey sequence at count (default is 100).

     -md4    Selects MD4 as the hash algorithm.

     -md5    Selects MD5 as the hash algorithm.

     -sha1   Selects SHA (NIST Secure Hash Algorithm Revision  1)
as the hash

             Selects RMD-160 (160 bit Ripe Message Digest) as the
hash algorithm.

     user    The username to be changed/added.   By  default  the
current user is
             operated on.

FILES    [Toc]    [Back]

     /etc/login.conf  file containing authentication types
     /etc/skey        directory containing user entries for S/Key

EXAMPLES    [Toc]    [Back]

     $ skeyinit
     Reminder - Only use this method if you are directly connected
                or  have  an encrypted channel.  If you are using
                hit return now and use skeyinit -s.
     Password: <enter your regular password here>
     [Updating user with md5]
     Old seed: [md5] host12377
     Enter new secret passphrase: <type a new passphrase here>
     Again secret passphrase: <again>
     ID user skey is otp-md5 100 host12378
     Next login password: CITE BREW IDLE CAIN ROD DOME
     $ otp-md5 -n 3 100 host12378
     Reminder - Do not use this program while logged in via  telnet.
     Enter secret passphrase: <type your passphrase here>

     The  one-time password for the next login will have sequence
number 99.

ERRORS    [Toc]    [Back]

     skey disabled  /etc/skey does not exist or is not accessible
by the user.
                    The  superuser may enable skeyinit via the -E

SEE ALSO    [Toc]    [Back]

     skey(1), skeyaudit(1), skeyinfo(1), skeyprune(8)

AUTHORS    [Toc]    [Back]

     Phil Karn, Neil M. Haller, John  S.  Walden,  Scott  Chasin,
Todd Miller

OpenBSD      3.6                        February     24,     1998
[ Back ]
 Similar pages
Name OS Title
opiepasswd FreeBSD Change or set a user's password for the OPIE authentication system.
login_chpass OpenBSD change password authentication type
login_lchpass OpenBSD change local password authentication type
passwd Linux change user password
chage Linux change user password expiry information
yppasswd HP-UX change login password in Network Information System (NIS)
passwd IRIX change login password and password attributes
yppasswd Tru64 Update user password in Network Information Service (NIS) password map.
nispasswd HP-UX change NIS+ password information
dpasswd Linux change dialup password
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service