cryptkey(1bnu)
cryptkey --
add, delete, or modify a key in the cr1 key database
Synopsis
cryptkey [-a | -c | -d] [-s scheme] [local_principal] remote_principal
Description
The cryptkey command adds, deletes, or modifies the key
shared by two principals in an authentication exchange.
Typically, a shared key is used
in a cr1 exchange (see
cr1(1Mbnu)).
A shared key is a bit string, known only to the
parties in an exchange, that is used to authenticate a connection.
Options
The options to cryptkey have the following meanings:
-a-
Indicates that an entry for the specified principals
is to be added to the keys file.
The user will be prompted for the new key.
To confirm the entry, the system prompts the user to
enter the key a second time.
-c-
Indicates that the entry
in the keys file for the specified principals
is to be changed.
The system prompts a non-privileged user to enter the old key.
The system then prompts the user for a new key.
To confirm the new key, the system prompts the user to enter it a second time.
A privileged user is not required to
enter the old key.
-d-
Indicates that the entry for the specified principals
is to be deleted from the keys file.
The system prompts a non-privileged user to enter the old key.
A privileged user is not required to
enter the old key.
-s scheme-
Specifies the name of the scheme to be used.
The default scheme is cr1, which uses DES encryption, and
requires that the Encryption Utilities package be installed.
If this package is not
available, ENIGMA encryption can be used by specifying
cr1.enigma as the scheme.
local_principal-
The name of the local principal sharing the key.
The name has one of the following forms:
-
[local_user][@local_system]
-
[local_system!][local_user]
where local_user is any login name in /etc/passwd.
If local_principal is omitted, the principal name of the
effective user is assumed.
remote_principal-
The name of the remote principal sharing the key.
The name has one of the following forms:
-
[remote_user@]remote_system
-
remote_system[!remote_user]
where remote_user is the logname of a remote user.
If cryptkey is entered without any options,
the -c option is assumed and
an existing key for the specified principals will be modified.
The system confirms a request to enter a new key by
prompting the user to enter the key a second time.
If the second entry does not match the first, the operation
is not executed.
Files
/etc/iaf/cr1/keys-
cr1 key database
Usage
The cryptkey command is used to enter
the shared key and
the identities of the principals (the local and remote hosts or users)
that are required to use the key to complete authentication.
The cryptkey command can be used by both privileged
and non-privileged users.
The privileged user is the owner of the keys file.
A non-privileged user must be the local principal for whom
the key is being added, deleted, or modified.
Once the shared key has been entered,
it is stored in the keys file by a daemon process.
If a master key exists, the shared keys in the file are encrypted using that
master key.
Diagnostics
If the daemon has been installed and is running,
cryptkey determines success or failure based on
the response of the
daemon and indicates the result to the user.
If the request is processed successfully, cryptkey exits with a value
of 0; otherwise, it prints an error message and
exits with a non-zero value.
Warnings
For local_principal, cryptkey does not
validate the existence of system names
when they are entered, although it requires
that they be printable characters.
When entered by a privileged user, cryptkey does not validate login names.
For remote_principal, cryptkey does not
validate system names or login names at any time.
References
cr1(1Mbnu),
getkey(3N),
keymaster(1Mbnu)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004