1.\"	$OpenBSD: skeyinit.1,v 1.32 2005/07/14 19:27:18 jmc Exp $
2.\"	$NetBSD: skeyinit.1,v 1.4 1995/07/07 22:24:09 jtc Exp $
3.\"	@(#)skeyinit.1	1.1 	10/28/93
4.\"
5.Dd February 24, 1998
6.Dt SKEYINIT 1
7.Os
8.Sh NAME
9.Nm skeyinit
10.Nd change password or add user to S/Key authentication system
11.Sh SYNOPSIS
12.Nm skeyinit
13.Bk -words
14.Op Fl CDErsx
15.Op Fl a Ar auth-type
16.Op Fl n Ar count
17.Oo
18.Fl md4 | Fl md5 | rmd160 | sha1
19.Oc
20.Op Ar user
21.Ek
22.Sh DESCRIPTION
23.Nm
24initializes the system so you can use S/Key one-time passwords to log in.
25The program will ask you to enter a secret passphrase which is used by
26.Xr skey 1
27to generate one-time passwords;
28enter a phrase of several words in response.
29After the S/Key database
30has been updated you can log in using either your regular password
31or using S/Key one-time passwords.
32.Pp
33.Nm
34requires you to type a secret passphrase, so it should be used
35only on a secure terminal.
36For example, on the console of a
37workstation or over an encrypted network session.
38If you are using
39.Nm
40while logged in over an untrusted network, follow the instructions
41given below with the
42.Fl s
43option.
44.Pp
45Before initializing an S/Key entry, the user must authenticate
46using either a standard password or an S/Key challenge.
47To use a one-time password for initial authentication, the
48.Dq Fl a Li skey
49option can be used.
50The user will then be presented with the standard
51S/Key challenge and allowed to proceed if it is correct.
52.Pp
53.Nm
54prints a sequence number and a one-time password.
55This password can't be used to log in; one-time passwords should be
56generated using
57.Xr skey 1
58first.
59The one-time password printed by
60.Nm
61can be used to verify if the right passphrase has been given to
62.Xr skey 1 .
63The one-time password with the corresponding sequence number printed by
64.Xr skey 1
65should match the one printed by
66.Nm .
67.Pp
68The options are as follows:
69.Bl -tag -width Ds
70.It Fl a Ar auth-type
71Specify an authentication type such as
72.Dq krb5 ,
73.Dq passwd ,
74or
75.Dq skey .
76.It Fl C
77Converts from the old-style
78.Pa /etc/skeykeys
79database to a new-style database where user records are stored in the
80.Pa /etc/skey
81directory.
82If an entry already exists in the new-style database it will not
83be overwritten.
84.It Fl D
85Disables access to the S/Key database.
86Only the superuser may use the
87.Fl D
88option.
89.It Fl E
90Enables access to the S/Key database.
91Only the superuser may use the
92.Fl E
93option.
94.It Fl md4 | md5 | rmd160 | sha1
95Selects the hash algorithm:
96MD4, MD5, RMD-160 (160-bit Ripe Message Digest),
97or SHA1 (NIST Secure Hash Algorithm Revision 1).
98.It Fl n Ar count
99Start the
100.Nm skey
101sequence at
102.Ar count
103(default is 100).
104.It Fl r
105Removes the user's S/Key entry.
106.It Fl s
107Set secure mode where the user is expected to have used a secure
108machine to generate the first one-time password.
109Without the
110.Fl s
111option the system will assume you are directly connected over secure
112communications and prompt you for your secret passphrase.
113The
114.Fl s
115option also allows one to set the seed and count for complete
116control of the parameters.
117You can use
118.Ic skeyinit -s
119in combination with the
120.Nm skey
121command to set the seed and count if you do not like the defaults.
122To do this run
123.Nm
124in one window and put in your count and seed, then run
125.Nm skey
126in another window to generate the correct 6 English words for that
127count and seed.
128You can then "cut-and-paste" or type the words into the
129.Nm
130window.
131When the
132.Fl s
133option is specified,
134.Nm
135will try to authenticate the user via S/Key, instead of the default listed in
136.Pa /etc/login.conf .
137If a user has no entry in the S/Key database, an alternate authentication
138type must be specified via the
139.Fl a
140option.
141Please note that entering a password or passphrase in plain text
142defeats the purpose of using
143.Dq secure
144mode.
145.It Fl x
146Displays one-time passwords in hexadecimal instead of ASCII.
147.It Ar user
148The username to be changed/added.
149By default the current user is operated on.
150.El
151.Sh FILES
152.Bl -tag -width /etc/login.conf -compact
153.It Pa /etc/login.conf
154file containing authentication types
155.It Pa /etc/skey
156directory containing user entries for S/Key
157.El
158.Sh EXAMPLES
159.Bd -literal
160$ skeyinit
161Reminder - Only use this method if you are directly connected
162           or have an encrypted channel.  If you are using telnet,
163           hit return now and use skeyinit -s.
164Password: \*(Ltenter your regular password here\*(Gt
165[Updating user with md5]
166Old seed: [md5] host12377
167Enter new secret passphrase: \*(Lttype a new passphrase here\*(Gt
168Again secret passphrase: \*(Ltagain\*(Gt
169ID user skey is otp-md5 100 host12378
170Next login password: CITE BREW IDLE CAIN ROD DOME
171$ otp-md5 -n 3 100 host12378
172Reminder - Do not use this program while logged in via telnet.
173Enter secret passphrase: \*(Lttype your passphrase here\*(Gt
17498: WERE TUG EDDY GEAR GILL TEE
17599: NEAR HA TILT FIN LONG SNOW
176100: CITE BREW IDLE CAIN ROD DOME
177.Ed
178.Pp
179The one-time password for the next login will have sequence number 99.
180.Sh ERRORS
181.Bl -tag -compact -width "skey disabled"
182.It "skey disabled"
183.Pa /etc/skey
184does not exist or is not accessible by the user.
185The superuser may enable
186.Nm
187via the
188.Fl E
189flag.
190.El
191.Sh SEE ALSO
192.Xr skey 1 ,
193.Xr skeyaudit 1 ,
194.Xr skeyinfo 1 ,
195.Xr skey 5 ,
196.Xr skeyprune 8
197.Sh AUTHORS
198Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller
199