xref: /illumos-gate/usr/src/man/man1/chkey.1 (revision bbf21555) 
 te
 Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
 Copyright 1989 AT&T
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 CHKEY 1 "Feb 25, 2017"
 NAME
chkey - change user's secure RPC key pair

 SYNOPSIS


chkey [-p] [-s nis | files | ldap]
 [-m <mechanism>]




 DESCRIPTION

chkey is used to change a user's secure RPC public key and secret
key pair. chkey prompts for the old secure-rpc password and verifies that
it is correct by decrypting the secret key. If the user has not already used
keylogin(1) to decrypt and store the secret key with keyserv(8),
chkey registers the secret key with the local keyserv(8) daemon.
If the secure-rpc password does not match the login password, chkey
prompts for the login password. chkey uses the login password to encrypt
the user's secret Diffie-Hellman (192 bit) cryptographic key.


chkey ensures that the login password and the secure-rpc password(s) are
kept the same, thus enabling password shadowing. See shadow(5).


The key pair can be stored in the /etc/publickey file (see
publickey(5)) or the NIS publickey map.
If a new secret key is generated, it will be
registered with the local keyserv(8) daemon.


Keys for specific mechanisms can be changed or reencrypted using the -m
option followed by the authentication mechanism name. Multiple -m
options can be used to change one or more keys.


If the source of the publickey is not specified with the -s
option, chkey consults the publickey entry in the name service
switch configuration file. See nsswitch.conf(5). If the publickey
entry specifies one and only one source, then chkey will change the key
in the specified name service. However, if multiple name services are listed,
chkey can not decide which source to update and will display an error
message. The user should specify the source explicitly with the -s
option.


Non root users are not allowed to change their key pair in the files
database.

 OPTIONS

The following options are supported:
-p


Re-encrypt the existing secret key with the user's login password.



-s nis


Update the NIS database.



-s files


Update the files database.



-s ldap


Update the LDAP database.



-m <mechanism>


Changes or re-encrypt the secret key for the specified mechanism.




 FILES
/etc/nsswitch.conf






/etc/publickey







 SEE ALSO

 keylogin (1),  keylogout (1),  nsswitch.conf (5),  publickey (5),  shadow (5),  attributes (7),  keyserv (8),  newkey (8)