cryptkey(1bnu)


cryptkey -- add, delete, or modify a key in the cr1 key database

Synopsis

cryptkey [-a | -c | -d] [-s scheme] [local_principal] remote_principal

Description

The cryptkey command adds, deletes, or modifies the key shared by two principals in an authentication exchange. Typically, a shared key is used in a cr1 exchange (see cr1(1Mbnu)). A shared key is a bit string, known only to the parties in an exchange, that is used to authenticate a connection.

Options

The options to cryptkey have the following meanings:

-a
Indicates that an entry for the specified principals is to be added to the keys file. The user will be prompted for the new key. To confirm the entry, the system prompts the user to enter the key a second time.

-c
Indicates that the entry in the keys file for the specified principals is to be changed. The system prompts a non-privileged user to enter the old key. The system then prompts the user for a new key. To confirm the new key, the system prompts the user to enter it a second time. A privileged user is not required to enter the old key.

-d
Indicates that the entry for the specified principals is to be deleted from the keys file. The system prompts a non-privileged user to enter the old key. A privileged user is not required to enter the old key.

-s scheme
Specifies the name of the scheme to be used. The default scheme is cr1, which uses DES encryption, and requires that the Encryption Utilities package be installed. If this package is not available, ENIGMA encryption can be used by specifying cr1.enigma as the scheme.

local_principal
The name of the local principal sharing the key. The name has one of the following forms:

where local_user is any login name in /etc/passwd.

If local_principal is omitted, the principal name of the effective user is assumed.


remote_principal
The name of the remote principal sharing the key. The name has one of the following forms:

where remote_user is the logname of a remote user.

If cryptkey is entered without any options, the -c option is assumed and an existing key for the specified principals will be modified.

The system confirms a request to enter a new key by prompting the user to enter the key a second time. If the second entry does not match the first, the operation is not executed.

Files


/etc/iaf/cr1/keys
cr1 key database

Usage

The cryptkey command is used to enter the shared key and the identities of the principals (the local and remote hosts or users) that are required to use the key to complete authentication. The cryptkey command can be used by both privileged and non-privileged users. The privileged user is the owner of the keys file. A non-privileged user must be the local principal for whom the key is being added, deleted, or modified.

Once the shared key has been entered, it is stored in the keys file by a daemon process. If a master key exists, the shared keys in the file are encrypted using that master key.

Diagnostics

If the daemon has been installed and is running, cryptkey determines success or failure based on the response of the daemon and indicates the result to the user. If the request is processed successfully, cryptkey exits with a value of 0; otherwise, it prints an error message and exits with a non-zero value.

Warnings

For local_principal, cryptkey does not validate the existence of system names when they are entered, although it requires that they be printable characters. When entered by a privileged user, cryptkey does not validate login names.

For remote_principal, cryptkey does not validate system names or login names at any time.

References

cr1(1Mbnu), getkey(3N), keymaster(1Mbnu)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004