cryptkey(1) cryptkey(1)
NAME
cryptkey - add, delete, or modify a key in the cr1 key data
base
SYNOPSIS
cryptkey [-a | -c | -d] [-s scheme] [local_principal] remote_principal
DESCRIPTION
The cryptkey command adds, deletes, or modifies the key shared
by two principals in an authentication exchange. Typically, a
shared key is used in a cr1 exchange [see cr1(1M)]. A shared
key is a bit string, known only to the parties in an exchange,
that is used to authenticate a connection.
Files
/etc/iaf/cr1/keys cr1 key data base
Diagnostics
If the daemon has been installed and is running, cryptkey
determines success or failure based on the response of the
daemon and indicates the result to the user. If the request
is processed successfully, cryptkey exits with a value of 0;
otherwise, it prints an error message and exits with a non-
zero value.
USAGE
The cryptkey command is used to enter the shared key and the
identities of the principals (the local and remote hosts or
users) that are required to use the key to complete
authentication. The cryptkey command can be used by both
privileged and non-privileged users. The privileged user is
the owner of the keys file. A non-privileged user must be the
local principal for whom the key is being added, deleted, or
modified.
Once the shared key has been entered using the cryptkey
command, it is stored in the keys file by a daemon process.
If a master key exists, the shared keys in the file are
encrypted, using that master key.
The options to cryptkey have the following meanings:
-a Indicates that an entry for the specified principals
is to be added to the keys file. The user will be
prompted for the new key. To confirm the entry, the
system prompts the user to enter the key a second
Copyright 1994 Novell, Inc. Page 1
cryptkey(1) cryptkey(1)
time.
-c Indicates that the entry in the keys file for the
specified principals is to be changed. The system
prompts a non-privileged user to enter the old key.
The system then prompts the user for a new key. To
confirm the new key, the system prompts the user to
enter it a second time. A privileged user is not
required to enter the old key.
-d Indicates that the entry for the specified
principals is to be deleted from the keys file. The
system prompts a non-privileged user to enter the
old key. A privileged user is not required to enter
the old key.
-s scheme
Specifies the name of the scheme to be used. The
default for scheme is cr1, which uses DES
encryption, and requires that the Encryption
Utilities package be installed. If this package is
not available, ENIGMA encryption can be used by
specifying cr1.enigma as the scheme.
local_principal
The name of the local principal sharing the key.
The name has one of the following forms, where
local_user is any logname in /etc/passwd:
[local_user][@ local_system]
[local_system!][local_user]
If local_principal is omitted, the principal name of
the effective user is assumed.
remote_principal
The name of the remote principal sharing the key.
The name has one of the following forms, where
remote_user is the logname of a remote user:
[remote_user@]remote_system
remote_system[!remote_user]
If cryptkey is entered without options, the -c option is
assumed and an existing key for the specified principals will
be modified.
Copyright 1994 Novell, Inc. Page 2
cryptkey(1) cryptkey(1)
The system confirms a request to enter a new key by prompting
the user to enter the key a second time. If the second entry
does not match the first, the operation is not executed.
Warnings
For the local-principal, cryptkey does not validate the
existence of system names when they are entered, although it
requires that they be printable characters. When entered by a
privileged user, cryptkey does not validate lognames.
For the remote-principal, cryptkey does not validate system
names or log names at any time.
REFERENCES
cr1(1M), getkey(3N), keymaster(1M)
Copyright 1994 Novell, Inc. Page 3