SKEYINIT(1)                OpenBSD Reference Manual                SKEYINIT(1)

NAME
     skeyinit - change password or add user to S/Key authentication system

SYNOPSIS
     skeyinit [-CDErsx] [-a auth-type] [-n count] [-md4
              | -md5 | -rmd160 | -sha1] [user]

DESCRIPTION
     skeyinit initializes the system so you can use S/Key one-time passwords
     to log in.  The program will ask you to enter a secret passphrase which
     is used by skey(1) to generate one-time passwords: enter a phrase of
     several words in response.  After the S/Key database has been updated you
     can log in using either your regular password or using S/Key one-time
     passwords.

     skeyinit requires you to type a secret passphrase, so it should be used
     only on a secure terminal.  For example, on the console of a workstation
     or over an encrypted network session.  If you are using skeyinit while
     logged in over an untrusted network, follow the instructions given below
     with the -s option.

     Before initializing an S/Key entry, the user must authenticate using
     either a standard password or an S/Key challenge.  To use a one-time
     password for initial authentication, skeyinit -a skey can be used.  The
     user will then be presented with the standard S/Key challenge and allowed
     to proceed if it is correct.

     skeyinit prints a sequence number and a one-time password.  This password
     can't be used to log in; one-time passwords should be generated using
     skey(1) first.  The one-time password printed by skeyinit can be used to
     verify if the right passphrase has been given to skey(1).  The one-time
     password with the corresponding sequence number printed by skey(1) should
     match the one printed by skeyinit.

     The options are as follows:

     -a auth-type
             Before an S/Key entry can be initialised, the user must
             authenticate themselves to the system.  This option allows the
             authentication type to be specified, such as ``krb5'',
             ``passwd'', or ``skey''.

     -C      Converts from the old-style /etc/skeykeys database to a new-style
             database where user records are stored in the /etc/skey
             directory.  If an entry already exists in the new-style database
             it will not be overwritten.

     -D      Disables access to the S/Key database.  Only the superuser may
             use the -D option.

     -E      Enables access to the S/Key database.  Only the superuser may use
             the -E option.

     -md4 | -md5 | -rmd160 | -sha1
             Selects the hash algorithm: MD4, MD5, RMD-160 (160-bit Ripe
             Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).

     -n count
             Start the skey sequence at count (default is 100).

     -r      Removes the user's S/Key entry.

     -s      Secure mode.  The user is expected to have already used a secure
             machine to generate the first one-time password.  Without the -s
             option the system will assume you are directly connected over
             secure communications and prompt you for your secret passphrase.
             The -s option also allows one to set the seed and count for
             complete control of the parameters.

             When the -s option is specified, skeyinit will try to
             authenticate the user via S/Key, instead of the default listed in
             /etc/login.conf.  If a user has no entry in the S/Key database,
             an alternate authentication type must be specified via the -a
             option (see above).  Please note that entering a password or
             passphrase in plain text defeats the purpose of using ``secure''
             mode.

             You can use skeyinit -s in combination with the skey command to
             set the seed and count if you do not like the defaults.  To do
             this run skeyinit -s in one window and put in your count and
             seed, then run skey(1) in another window to generate the correct
             6 English words for that count and seed.  You can then "cut-and-
             paste" or type the words into the skeyinit window.

     -x      Displays one-time passwords in hexadecimal instead of ASCII.

     user    The username to be changed/added.  By default the current user is
             operated on.

FILES
     /etc/login.conf  file containing authentication types
     /etc/skey        directory containing user entries for S/Key

EXAMPLES
     $ skeyinit
     Reminder - Only use this method if you are directly connected
                or have an encrypted channel.  If you are using telnet,
                hit return now and use skeyinit -s.
     Password: <enter your regular password here>
     [Updating user with md5]
     Old seed: [md5] host12377
     Enter new secret passphrase: <type a new passphrase here>
     Again secret passphrase: <again>
     ID user skey is otp-md5 100 host12378
     Next login password: CITE BREW IDLE CAIN ROD DOME
     $ otp-md5 -n 3 100 host12378
     Reminder - Do not use this program while logged in via telnet.
     Enter secret passphrase: <type your passphrase here>
     98: WERE TUG EDDY GEAR GILL TEE
     99: NEAR HA TILT FIN LONG SNOW
     100: CITE BREW IDLE CAIN ROD DOME

     The one-time password for the next login will have sequence number 99.

ERRORS
     skey disabled  /etc/skey does not exist or is not accessible by the user.
                    The superuser may enable skeyinit via the -E flag.

SEE ALSO
     skey(1), skeyaudit(1), skeyinfo(1), skey(5), skeyprune(8)

AUTHORS
     Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller

OpenBSD 4.9                      May 31, 2007                      OpenBSD 4.9