Edit

IABSD.fr/src/usr.bin/skeyinit/skeyinit.1

Branch :

  • Show log

    Commit

  • Author : naddy
    Date : 2022-03-31 17:27:13
    Hash : 41ce3b17
    Message : man pages: add missing commas between subordinate and main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@

  • usr.bin/skeyinit/skeyinit.1
  • .\"	$OpenBSD: skeyinit.1,v 1.43 2022/03/31 17:27:27 naddy Exp $
    .\"	$NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
    .\"	@(#)skeyinit.1	1.1 	10/28/93
    .\"
    .Dd $Mdocdate: March 31 2022 $
    .Dt SKEYINIT 1
    .Os
    .Sh NAME
    .Nm skeyinit
    .Nd change password or add user to S/Key authentication system
    .Sh SYNOPSIS
    .Nm skeyinit
    .Bk -words
    .Op Fl DErsx
    .Op Fl a Ar auth-type
    .Op Fl n Ar count
    .Op Fl md5 | rmd160 | sha1
    .Op Ar user
    .Ek
    .Sh DESCRIPTION
    .Nm
    initializes the system so you can use S/Key one-time passwords to log in.
    The program will ask you to enter a secret passphrase which is used by
    .Xr skey 1
    to generate one-time passwords:
    enter a phrase of several words in response.
    After the S/Key database
    has been updated, you can log in using either your regular password
    or using S/Key one-time passwords.
    .Pp
    .Nm
    requires you to type a secret passphrase, so it should be used
    only on a secure terminal.
    For example, on the console of a
    workstation or over an encrypted network session.
    If you are using
    .Nm
    while logged in over an untrusted network, follow the instructions
    given below with the
    .Fl s
    option.
    .Pp
    Before initializing an S/Key entry, the user must authenticate
    using either a standard password or an S/Key challenge.
    To use a one-time password for initial authentication,
    .Ic skeyinit -a skey
    can be used.
    The user will then be presented with the standard
    S/Key challenge and allowed to proceed if it is correct.
    .Pp
    .Nm
    prints a sequence number and a one-time password.
    This password can't be used to log in; one-time passwords should be
    generated using
    .Xr skey 1
    first.
    The one-time password printed by
    .Nm
    can be used to verify if the right passphrase has been given to
    .Xr skey 1 .
    The one-time password with the corresponding sequence number printed by
    .Xr skey 1
    should match the one printed by
    .Nm .
    .Pp
    The options are as follows:
    .Bl -tag -width Ds
    .It Fl a Ar auth-type
    Before an S/Key entry can be initialised,
    the user must authenticate themselves to the system.
    This option allows the authentication type to be specified, such as
    .Dq passwd
    or
    .Dq skey .
    .It Fl D
    Disables access to the S/Key database.
    Only the superuser may use the
    .Fl D
    option.
    .It Fl E
    Enables access to the S/Key database.
    Only the superuser may use the
    .Fl E
    option.
    .It Fl md5 | rmd160 | sha1
    Selects the hash algorithm:
    MD5, RMD-160 (160-bit Ripe Message Digest),
    or SHA1 (NIST Secure Hash Algorithm Revision 1).
    .It Fl n Ar count
    Start the
    .Nm skey
    sequence at
    .Ar count
    (default is 100).
    .It Fl r
    Removes the user's S/Key entry.
    .It Fl s
    Secure mode.
    The user is expected to have already used a secure
    machine to generate the first one-time password.
    Without the
    .Fl s
    option the system will assume you are directly connected over secure
    communications and prompt you for your secret passphrase.
    The
    .Fl s
    option also allows one to set the seed and count for complete
    control of the parameters.
    .Pp
    When the
    .Fl s
    option is specified,
    .Nm
    will try to authenticate the user via S/Key, instead of the default listed in
    .Pa /etc/login.conf .
    If a user has no entry in the S/Key database, an alternate authentication
    type must be specified via the
    .Fl a
    option
    (see above).
    Entering a password or passphrase in plain text
    defeats the purpose of using
    .Dq secure
    mode.
    .Pp
    You can use
    .Ic skeyinit -s
    in combination with the
    .Nm skey
    command to set the seed and count if you do not like the defaults.
    To do this run
    .Ic skeyinit -s
    in one window and put in your count and seed, then run
    .Xr skey 1
    in another window to generate the correct 6 English words for that
    count and seed.
    You can then "cut-and-paste" or type the words into the
    .Nm
    window.
    .It Fl x
    Displays one-time passwords in hexadecimal instead of ASCII.
    .It Ar user
    The username to be changed/added.
    By default the current user is operated on.
    .El
    .Sh FILES
    .Bl -tag -width /etc/login.conf -compact
    .It Pa /etc/login.conf
    file containing authentication types
    .It Pa /etc/skey
    directory containing user entries for S/Key
    .El
    .Sh EXAMPLES
    .Bd -literal
    $ skeyinit
    Password: \*(Ltenter your regular password here\*(Gt
    [Updating user with md5]
    Old seed: [md5] host12377
    Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt
    Again secret passphrase: \*(Ltagain\*(Gt
    ID user skey is otp-md5 100 host12378
    Next login password: CITE BREW IDLE CAIN ROD DOME
    $ otp-md5 -n 3 100 host12378
    Enter secret passphrase: \*(Lttype your passphrase here\*(Gt
    98: WERE TUG EDDY GEAR GILL TEE
    99: NEAR HA TILT FIN LONG SNOW
    100: CITE BREW IDLE CAIN ROD DOME
    .Ed
    .Pp
    The one-time password for the next login will have sequence number 99.
    .Sh DIAGNOSTICS
    .Bl -tag -compact -width "skey disabled"
    .It "skey disabled"
    .Pa /etc/skey
    does not exist or is not accessible by the user.
    The superuser may enable
    .Nm
    via the
    .Fl E
    flag.
    .El
    .Sh SEE ALSO
    .Xr skey 1 ,
    .Xr skeyaudit 1 ,
    .Xr skeyinfo 1 ,
    .Xr skey 5 ,
    .Xr skeyprune 8
    .Sh AUTHORS
    .An Phil Karn
    .An Neil M. Haller
    .An John S. Walden
    .An Scott Chasin
    .An Todd Miller