man : skeyinit(1)
SKEYINIT(1) OpenBSD Reference Manual SKEYINIT(1)
skeyinit - change password or add user to S/Key authentication system
skeyinit [-CDErsx] [-a auth-type] [-n count] [-md4
| -md5 | -rmd160 | -sha1] [user]
skeyinit initializes the system so you can use S/Key one-time passwords
to log in. The program will ask you to enter a secret passphrase which
is used by skey(1) to generate one-time passwords: enter a phrase of
several words in response. After the S/Key database has been updated you
can log in using either your regular password or using S/Key one-time
skeyinit requires you to type a secret passphrase, so it should be used
only on a secure terminal. For example, on the console of a workstation
or over an encrypted network session. If you are using skeyinit while
logged in over an untrusted network, follow the instructions given below
with the -s option.
Before initializing an S/Key entry, the user must authenticate using
either a standard password or an S/Key challenge. To use a one-time
password for initial authentication, skeyinit -a skey can be used. The
user will then be presented with the standard S/Key challenge and allowed
to proceed if it is correct.
skeyinit prints a sequence number and a one-time password. This password
can't be used to log in; one-time passwords should be generated using
skey(1) first. The one-time password printed by skeyinit can be used to
verify if the right passphrase has been given to skey(1). The one-time
password with the corresponding sequence number printed by skey(1) should
match the one printed by skeyinit.
The options are as follows:
Before an S/Key entry can be initialised, the user must
authenticate themselves to the system. This option allows the
authentication type to be specified, such as ``krb5'',
``passwd'', or ``skey''.
-C Converts from the old-style /etc/skeykeys database to a new-style
database where user records are stored in the /etc/skey
directory. If an entry already exists in the new-style database
it will not be overwritten.
-D Disables access to the S/Key database. Only the superuser may
use the -D option.
-E Enables access to the S/Key database. Only the superuser may use
the -E option.
-md4 | -md5 | -rmd160 | -sha1
Selects the hash algorithm: MD4, MD5, RMD-160 (160-bit Ripe
Message Digest), or SHA1 (NIST Secure Hash Algorithm Revision 1).
Start the skey sequence at count (default is 100).
-r Removes the user's S/Key entry.
-s Secure mode. The user is expected to have already used a secure
machine to generate the first one-time password. Without the -s
option the system will assume you are directly connected over
secure communications and prompt you for your secret passphrase.
The -s option also allows one to set the seed and count for
complete control of the parameters.
When the -s option is specified, skeyinit will try to
authenticate the user via S/Key, instead of the default listed in
/etc/login.conf. If a user has no entry in the S/Key database,
an alternate authentication type must be specified via the -a
option (see above). Please note that entering a password or
passphrase in plain text defeats the purpose of using ``secure''
You can use skeyinit -s in combination with the skey command to
set the seed and count if you do not like the defaults. To do
this run skeyinit -s in one window and put in your count and
seed, then run skey(1) in another window to generate the correct
6 English words for that count and seed. You can then "cut-and-
paste" or type the words into the skeyinit window.
-x Displays one-time passwords in hexadecimal instead of ASCII.
user The username to be changed/added. By default the current user is
/etc/login.conf file containing authentication types
/etc/skey directory containing user entries for S/Key
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet,
hit return now and use skeyinit -s.
Password: <enter your regular password here>
[Updating user with md5]
Old seed: [md5] host12377
Enter new secret passphrase: <type a new passphrase here>
Again secret passphrase: <again>
ID user skey is otp-md5 100 host12378
Next login password: CITE BREW IDLE CAIN ROD DOME
$ otp-md5 -n 3 100 host12378
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase: <type your passphrase here>
98: WERE TUG EDDY GEAR GILL TEE
99: NEAR HA TILT FIN LONG SNOW
100: CITE BREW IDLE CAIN ROD DOME
The one-time password for the next login will have sequence number 99.
skey disabled /etc/skey does not exist or is not accessible by the user.
The superuser may enable skeyinit via the -E flag.
skey(1), skeyaudit(1), skeyinfo(1), skey(5), skeyprune(8)
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin, Todd Miller
OpenBSD 4.9 May 31, 2007 OpenBSD 4.9