This chapter describes the MULTINET DCL commands system managers use to manage the MultiNet Secure/IP user profile database on MultiNet Secure/IP Servers.
Table 2-1 summarizes the MultiNet Secure/IP DCL commands.
Table 2-1 MultiNet Secure/IP DCL Commands
|
Command |
Description |
|
Deletes all or a portion of a user profile on the local MultiNet Secure/IP Server. | |
|
Adds new and modified existing user profiles in the local MultiNet Secure/IP user profile database. | |
|
Displays all or a portion of a user profile on the local MultiNet Secure/IP Server. | |
|
Returns the number of user profiles in the local MultiNet Secure/IP Server profile database. | |
|
Calculates an S/KEY response for a particular sequence and seed. This can also be done on any system running Bellcore S/KEY calculator software. | |
|
Erases the CRYPTOCard key associated with the specified user from the user profile database. | |
|
Generates a series of codes to enter into a CRYPTOCard for the specified user and stores a new key in the user profile database. | |
|
Tests the CRYPTOCard programming by generating a random challenge and verifying the response. This sequence mimics what you would see when login in remotely using the CRYPTOCard authentication method. | |
|
Erases the S/KEY sequence for the specified user from the MultiNet user profile database. | |
|
Initializes a new S/KEY sequence for the specified user and stores the resulting sequence in the user profile database. | |
|
Displays the next S/KEY sequence for the specified user. | |
|
Tests S/KEY authentication. | |
|
Erases the SNK key associated with the specified user from the user profile database. | |
|
Generates a random key, displays the programming sequence for the HP Pathways SecureNet (SNK) personal identification token, and stores the new key in the user profile database. | |
|
Tests the SNK programming by generating a random challenge and verifying the response. This sequence mimics that what you see when logging in remotely using the SNK authentication method. |
Deletes all or a portion of a user profile on the local MultiNet Secure/IP Server.
Note! You cannot configure the local MultiNet Secure/IP Client to use the local server. To determine which MultiNet Secure/IP Server is being used by the local MultiNet Secure/IP Client, use the ACCESS-CONFIG utility or the SHOW LOGICAL MULTINET_ACCESS_SERVER_ADDRESS command.
FORMAT
MULTINET PROFILE /DELETE [=subtype] [username]
PARAMETERS
username
Specifies a user’s login name. You may use the wildcard characters asterisk (*) and percent (%). If you omit the login name, the current user information is cleared.
subtype
Specifies the profile subtype to delete from the username profile. The following are valid subtype values:
• method-Deletes the profile data related to the user’s default authentication method.
• cryptocard-Deletes the CRYPTOCard authentication data, if any exists.
• snk-Deletes the SNK authentication data, if any exists.
• skey-Deletes the S/KEY authentication data, if any exists.
If you omit the subtype, the entire user profile is deleted.
QUALIFIERS
Specifies that you want a confirmation prompt before the specified user profile data is deleted.
Specifies that a message is displayed after a key has been erased successfully from the user profile database. By default, the deletion message is not displayed.
EXAMPLE
$ MULTINET PROFILE WHORFIN /DELETE=SNK /LOG
%SECUREIP-S-SNKDELETED, SNK key for principal "WHORFIN" deleted
Adds new user profiles or modifies existing user profiles in the local MultiNet Secure/IP user profile database.
Note! You cannot configure the local MultiNet Secure/IP Client to use the local server. To determine which MultiNet Secure/IP Server is being used by the local MultiNet Secure/IP Client, use the ACCESS-CONFIG utility or the SHOW LOGICAL MULTINET_ACCESS_SERVER_ADDRESS command.
FORMAT
MULTINET PROFILE /MODIFY=METHOD= method [username]
PARAMETERS
method
Specifies the authentication method used by username. Specify METHOD data to override the system default authentication method. The following are valid method values:
|
password |
snk |
skey |
cryptocard |
securid |
Note! To remove METHOD data and return to the system default authentication method for username, use the MULTINET PROFILE /DELETE=METHOD username command.
username
Specifies the user’s login name. You may use the wildcard characters asterisk (*) and percent (%). If there is no profile for username in the user profile database, the command prompts you to create a new user profile with the specified subtype.
QUALIFIERS
Specifies that you want a confirmation prompt before the specified user profile data is modified.
Specifies that a message is displayed after a user profile has been modified successfully in the user profile database. By default, modification messages are not displayed.
EXAMPLE
$ MULTINET PROFILE WHORFIN /MODIFY=AUTHPREF=SNK004 /LOG
%SECUREIP-S-SNKDELETED, SNK key for principal "WHORFIN" deleted
Displays all or a portion of a user profile on the local MultiNet Secure/IP Server.
Note! You cannot configure the local MultiNet Secure/IP Client to use the local server. To determine which MultiNet Secure/IP Server is being used by the local MultiNet Secure/IP Client, use the ACCESS-CONFIG utility or the SHOW LOGICAL MULTINET_ACCESS_SERVER_ADDRESS command.
FORMAT
MULTINET PROFILE /SHOW [user]
QUALIFIER
Displays all profile subtypes associated with the specified user.
EXAMPLE
$ MULTINET PROFILE /SHOW W*
Username Preferred Method
-------- ----------------
walter <default>
whorfin Security Dynamics SecurID$ MULTINET PROFILE /SHOW /FULL WHORFIN
Username Profile(s)
-------- ----------
whorfin SNK004, Method (Security Dynamics SecurID)
Returns the number of user profiles in the local MultiNet Secure/IP Server profile database.
Note! You cannot configure the local MultiNet Secure/IP Client to use the local server. To determine which MultiNet Secure/IP Server is being used by the local MultiNet Secure/IP Client, use the ACCESS-CONFIG utility or the SHOW LOGICAL MULTINET_ACCESS_SERVER_ADDRESS command.
FORMAT
MULTINET PROFILE /SUMMARY
EXAMPLE
$ MULTINET PROFILE /SUMMARY
%SECUREIP-I-SUMMARY, 28 user profile records found
Calculates an S/KEY response for a particular sequence and seed. This can also be done on any system running Bellcore S/KEY calculator software. MULTINET SKEY prompts for the S/KEY password unless /PASSWORD is specified.
FORMAT
MULTINET SKEY [sequence] [seed]
PARAMETERS
sequence
Specifies a sequence value from 1 to 99.
seed
Specifies the S/KEY seed value. This value can be up to 18 characters in length.
QUALIFIERS
Specifies the number of S/KEY responses to compute. The default is 1.
Specifies that the S/KEY output file is deleted after printing. The default is /NODELETE. Use /DELETE only with /PRINT.
Specifies the name of a file to which the S/KEY sequence is written. The default output file name is SKEY.LIS. If you omit /OUTPUT, MULTINET SKEY displays the sequence on SYS$OUTPUT.
Specifies that the S/KEY output file is printed. By default, the output file is called SKEY.LIS and is queued to SYS$PRINT. Use /PRINT only with /COUNT.
Specifies the name of the queue to which the S/KEY output file is queued. By default, the output file is queued to SYS$PRINT. Use /QUEUE only with /PRINT.
Specifies the response to be stored as the value of the symbol name.
EXAMPLE
$ MULTINET SKEY 98 BI44244
Password: *****
BANK BORG ACT AMOK GIFT OHIO
The following example prints a list of 10 passwords on SYS$PRINT and deletes the output file after printing:
$ MULTINET SKEY /COUNT=10 98 BI4424 /PRINT /DELETE
Password: *****
Erases the CRYPTOCard key associated with the specified user from the user profile database. If a username is not specified, MULTINET TOKEN CRYPTOCARD /CLEAR clears the key for the current user. SECURITY privilege is required to clear another user’s key. Non-privileged users can erase their own CRYPTOCard keys by successfully responding to a challenge from MULTINET TOKEN CRYPTOCARD /CLEAR. Once erased, the token must be reprogrammed by the site security administrator.
FORMAT
MULTINET TOKEN CRYPTOCARD /CLEAR [username]
PARAMETER
username
Specifies the login name of a user. If omitted, the current user information is cleared.
QUALIFIER
Specifies that a confirmation message is displayed after a key has been successfully erased from the user profile database. /LOG is the default. Specify /NOLOG to cancel the message.
EXAMPLE
$ MULTINET TOKEN CRYPTOCARD /CLEAR
%SECUREIP-S-CRYPTOCARDDELETED, CRYPTOCARD key for principal "holmes" deleted
Generates a series of codes to enter into a CRYPTOCard for the specified user and stores a new key in the user profile database. If a user name is not specified, a key for the current user is generated. SECURITY privilege is required to generate a key for another user and to load the initial (first) key.
FORMAT
MULTINET TOKEN CRYPTOCARD [username]
PARAMETER
username
Specifies the login name of a user. If omitted, the current user information is initialized.
QUALIFIERS
/CHALLENGE= { FULL | REDUCED }
Enables or disables the CRYPTOCard’s "reduced input" mode. If REDUCED, the CRYPTOCard operates in "reduced input" mode and guesses the next challenge after the user enters the correct PIN. When FULL, the user must enter the challenge manually. The default is REDUCED.
Specifies that you are prompted for confirmation before a key is stored in the user profile database. The default is /CONFIRM. If username has already has been initialized, a message appears to this effect, /CONFIRM is ignored, and you are prompted if you want to initialize this user. The following example shows this situation:
$ MULTINET TOKEN CRYPTOCARD /LOAD /VERBOSE SYSTEM
%SECUREIP-W-CRYPTOCARDKEYSET, CRYPTOCARD key for principal "system" already exists
Initialize CRYPTOCARD key for principal "system"? [N]: YES
Determines the format of the prompts generated by the CRYPTOCard. list is a comma-separated list that includes any combination of the keywords shown in Table 2-2.
Table 2-2 CRYPTOCard /DISPLAY Keywords
Lets you enter more than one key in the CRYPTOCard or specify a specific DES key. When you omit the /KEY qualifier, MULTINET TOKEN CRYPTOCARD /LOAD generates a random DES key in the MultiNet Secure/IP Server user profile database (MULTINET_PROFILE.DATA). Use the /KEY qualifier if the CRYPTOCard will be used with more than one authentication server. keyword is one of those shown in Table 2-3.
Note! MULTINET TOKEN CRYPTOCARD /LOAD only generates the programming instructions and user profile data for the local MultiNet Secure/IP Server; you must obtain other keys from the corresponding authentication servers.
Table 2-3 CRYPTOCard /KEY Keywords
You must include all qualifiers (for example /DISPLAY=TELEPHONE) in the first MULTINET TOKEN CRYPTOCARD /LOAD /SPLIT command except for /DISPLAY=USERID, which must be in the second MULTINET TOKEN CRYPTOCARD /LOAD /SPLIT command. You can also specify all qualifiers in both commands; MULTINET TOKEN CRYPTOCARD /LOAD /SPLIT ignores irrelevant qualifiers.
Note! Using MULTINET TOKEN CRYPTOCARD /LOAD /SPLIT only offers security benefits if two individuals each load only one half of the key. Neither individual should have access to the contents of MULTINET:MULTINET_PROFILE.DATA.
Specifies the language used in all CRYPTOCard displays. lang is one of the following:
|
ENGLISH_1 |
FRENCH |
ITALIAN |
SWEDISH |
|
ENGLISH_2 |
GERMAN |
PORTUGUESE |
SPANISH |
For descriptions of these languages, refer to your CRYPTOCard documentation. The default is ENGLISH_1.
Displays a confirmation message after the key has been stored successfully in the user profile database.
Specifies the types of protection to program into your CRYPTOCard. list is a comma-separated list that includes any combination of the parameters shown in Table 2-4.
Table 2-4 CRYPTOCard /PIN Parameters
Specifies the number of seconds of inactivity before the CRYPTOCard turns itself off. The default is 30 seconds.
Displays extended programming instructions for the CRYPTOCard. By default, MULTINET TOKEN CRYPTOCARD /LOAD displays only minimal programming information. For more information, refer to the CRYPTOCard documentation for setting up additional options.
EXAMPLES
$ MULTINET TOKEN CRYPTOCARD /LOAD /VERBOSE WHORFIN
%SECUREIP-IP-W-KEYEXISTS, CRYPTOCard key for principal "whorfin" already exists
Initialize CRYPTOCard key for principal "whorfin"? [N]: Y
To clear the memory an existing CRYPTOCard token: ON 225371
The initial "2" keystroke must occur no more than one-half second after the "ON" key. The other keys must also be pressed within two of each other. Alternatively, removal of both batteries for a second will clear the memory of an existing token.
To initialize a CRYPTOCard token for principal "whorfin":
|
Prompt |
Enter |
|
Locked |
ENT |
|
Options? |
<prompt will change to "1" on first key press> |
|
1 |
100 -> |
|
2 |
234 -> |
|
3 |
001 -> |
|
4 |
ENT |
|
Key1? |
<prompt will change to "1" on first key press> |
|
1 |
346 -> |
|
2 |
315 -> |
|
3 |
203 -> |
|
4 |
105 -> |
|
5 |
046 -> |
|
6 |
357 -> |
|
7 |
121 -> |
|
8 |
054 -> |
|
<blank> |
ENT |
|
45DF6308 |
ENT |
You must now choose an initial PIN for the token. This is an initial PIN Regardless of the PIN change option selected, the user will be to choose a new PIN the first time they use their token. This PIN must be given to the user along with this token.
Prompt Enter
------ -----
New PIN? <pin> ENT (<pin> = 4-8 digit number)
Verify <pin> ENT (<pin> = 4-8 digit number)
Card OK
%SECUREIP-S-KEYLOADED, CRYPTOCard key for principal "whorfin" initialized
$
Using the information in this example, program the CRYPTOCard as follows:
1 Clear the CRYPTOCard memory by momentarily removing the batteries or entering the "clear" key sequence:
a Turn on the CRYPTOCard and press 2 within half a second.
b Enter 25371.
c Press ENT. If you entered the "clear" key sequence correctly, the CRYPTOCard displays the LOCKED prompt.
2 At the LOCKED prompt, press ENT.
3 At the Options? prompt, enter 100 and press the "right arrow" key. The display changes when you press 1. The number on the right side of the display indicates which option you are entering. If you enter a wrong number, press CLR to return to the Options? prompt.
4 At the 2 prompt, enter 234 and press the "right arrow" key.
5 At the 3 prompt, enter 001 and press the "right arrow" key.
6 At the 4 prompt, press ENT. The Key1? prompt appears.
7 At the Key1? prompt, enter 302 and press the "right arrow" key. The display changes when you press 3. The number on the right side of the display indicates which key you are entering. If you enter a wrong number, press CLR to return to the Key1? prompt.
8 At the 2 prompt, enter 302 and press the "right arrow" key.
9 At the 3 prompt, enter 147 and press the "right arrow" key.
10 At the 4 prompt, enter 171 and press the "right arrow" key.
11 At the 5 prompt, enter 100 and press the "right arrow" key.
12 At the 6 prompt, enter 206 and press the "right arrow" key.
13 At the 7 prompt, enter 127 and press the "right arrow" key.
14 At the 8 prompt, enter 165 and press the "right arrow" key. The CRYPTOCard screen goes blank.
15 Press ENT. The CRYPTOCard displays "24D13FD6".
16 Press ENT. The NEW PIN? prompt appears.
17 Enter your new PIN and press ENT. The Verify prompt appears.
18 Enter your new PIN and press ENT. If you verify the new PIN, the CRYPTOCard displays "Card OK".
The CRYPTOCard is now programmed. The next time the CRYPTOCard’s user enters the new PIN, the CRYPTOCard will force the user to change the PIN.
$ MULTINET TOKEN CRYPTOCARD /LOAD /VERBOSE /SPLIT WHORFIN
%SECUREIP-W-KEYEXISTS, CRYPTOCard key for principal "whorfin" already exists
Initialize CRYPTOCard key for principal "whorfin"? [N]: y
To clear the memory an existing CRYPTOCard token: ON 225371
To initial "2" keystroke must occur no more than one-half second after the "ON" key. The other keys must also be pressed within two of each other. Alternatively, removal of both batteries for a second will clear the memory of an existing token.
To initialize a CRYPTOCard token for principal "whorfin":
|
Prompt |
Enter |
|
Locked |
ENT |
|
Options? |
<prompt will change to "1" on first key press> |
|
1 |
100 -> |
|
2 |
234 -> |
|
3 |
000 -> |
|
4 |
ENT |
|
Key1? |
<prompt will change to "1" on first key press> |
|
1 |
205 -> |
|
2 |
357 -> |
|
3 |
142 -> |
|
4 |
111 -> |
|
5 |
155 -> |
|
6 |
142 -> |
|
7 |
062 -> |
|
8 |
073 -> |
|
<blank> |
ENT |
|
3A23F664 |
ENT |
|
Key2? |
The first part of split key loading is complete. The token may now be off and given to a second site-security administrator who will the initialization process by generating and loading a second key.
Make sure that you press "ENT" after verifying the checksum but before off the token. Failure to do so will require that you re-enter first key the next time you turn on the token. If the first key was correctly, the token should be displaying "Key2?".
%SECUREIP-S-KEYLOADED, CRYPTOCard key for principal "whorfin" initialized -SECUREIP-I-SPLITKEYINP, CRYPTOCard split key initialization in progress
$ MULTINET TOKEN CRYPTOCARD /LOAD /VERBOSE /SPLIT WHORFIN
%SECUREIP-I-SPLITKEYFPD, CRYPTOCard split key initialization for "whorfin" Initialize CRYPTOCard key for principal "whorfin"? [N]: Y To complete split key initialization for principal "whorfin":
|
Prompt |
Enter |
|
Key2? |
<prompt will change to "1" on first key press> |
|
1 |
070 -> |
|
2 |
323 -> |
|
3 |
200 -> |
|
4 |
111 -> |
|
5 |
020 -> |
|
6 |
057 -> |
|
7 |
205 -> |
|
8 |
040 -> |
|
<blank> |
ENT |
|
5A4C2B27 |
ENT |
|
69189BE7 |
ENT |
You must now choose an initial PIN for the token. This is an initial PIN regardless of the PIN change option selected, the user will be to choose a new PIN the first time they use their token.This PIN must be given to the user along with this token.
Prompt Enter
------ -----
New PIN? <pin> ENT (<pin> = 4-8 digit number)
Verify <pin> ENT (<pin> = 4-8 digit number)
Card OK
%SECUREIP-S-KEYLOADED, CRYPTOCard key for principal "whorfin" initialized $
Using the information generated by the commands in this example, program the CRYPTOCard as follows:
1 Clear the CRYPTOCard’s memory and enter the Options and Key1 information (see Example 1). When you press ENT after the checksum prompt, the Key2 prompt appears.
2 Enter the Key2 information from the second MULTINET TOKEN CRYPTOCARD /LOAD command into the CRYPTOCard.
Tests the CRYPTOCard programming by generating a random challenge and verifying the response. This sequence mimics what you would see when logging in remotely using the CRYPTOCard authentication method.
FORMAT
MULTINET TOKEN CRYPTOCARD /TEST [username]
PARAMETER
username
Specifies a user’s login name. If you omit the user name, the current user’s information is tested.
EXAMPLE
$ MULTINET TOKEN CRYPTOCARD /TEST
CRYPTOCard authentication for principal "holmes"
Challenge: 645-3152
Response: 6D665D62
Authentication successful
To test a CRYPTOCard token, enter your PIN into the keypad and press ENT. When the Challenge prompt appears, enter the displayed number into the keypad and press ENT. Enter the generated number at the Response prompt. The response is not case-sensitive; you can enter hexadecimal letters in uppercase or lowercase interchangeably.
Erases the S/KEY sequence for the specified user from the MultiNet user profile database. By default, MULTINET TOKEN SKEY /CLEAR erases the current user’s S/KEY sequence. SECURITY privilege is required to erase another user’s S/KEY sequence.
FORMAT
MULTINET TOKEN SKEY /CLEAR [username]
PARAMETER
username
Specifies the login name of a user. If you omit this parameter, the current user’s S/KEY sequence is cleared.
QUALIFIER
Displays a confirmation message after the S/KEY sequence has been erased successfully from the user profile database. The default is /LOG. Use /NOLOG to cancel this message.
EXAMPLE
$ MULTINET TOKEN SKEY /CLEAR
%SECUREIP-S-DELETED, S/KEY for principal "holmes" deleted
Initializes a new S/KEY sequence for the specified user and stores the resulting sequence in the user profile database. By default, MULTINET TOKEN SKEY /INITIALIZE initializes a sequence for the current user. MULTINET TOKEN SKEY /INITIALIZE prompts for a password that the user enters when a MULTINET TOKEN SKEY command is invoked. If the username is not in the SYSUAF, the administrator is prompted to confirm.
If the user who enters this command does not have SECURITY privilege, the user is prompted for a VMS password, then for the password that is required when using MULTINET TOKEN SKEY commands.
Note! Do not initialize your S/KEY sequence over an unsecure channel such as the Internet. S/KEY does not require the associated S/KEY password to be divulged to a host (server) system, except for initialization purposes. Do not enter your S/KEY password on any system that you are not logged into directly, that is, over a hard-wired terminal or a local workstation window. In general, you should only enter your S/KEY password into a portable computing device (Macintosh or PC) running an S/KEY client.
See /NOPASSWORD for a mechanism that you may use to initialize an S/KEY sequence over an unsecure link.
FORMAT
MULTINET TOKEN SKEY /INITIALIZE [username]
PARAMETER
username
Specifies the login name of a user. If you omit this parameter, S/KEY is initialized for the current user.
QUALIFIERS
Displays a confirmation message after the S/KEY sequence has been stored successfully in the user profile database. This qualifier is enabled by default. Use /NOLOG to disable this function.
Specifies that MULTINET TOKEN SKEY /INITIALIZE prompts for the S/KEY password. When /NOPASSWORD is specified, MULTINET TOKEN SKEY /INITIALIZE issues an S/KEY challenge and sets the S/KEY sequence to the result of the S/KEY response. Use a new password on the S/KEY client when generating this response. You can use this to reset your S/KEY sequence over an unsecure channel without having to type your password, as normally required.
Specifies the S/KEY seed associated with the new S/KEY sequence. By default, MULTINET TOKEN SKEY /INITIALIZE generates a new host-specific seed every time. An S/KEY seed is a string of 1 to 18 characters. Use the /SEED qualifier if you need to create an S/KEY sequence that exactly matches another system using the S/KEY authentication algorithm. In general, you should let the system generate a random seed for you.
Specifies the length of the new S/KEY sequence. By default, MULTINET TOKEN SKEY /INITIALIZE generates a sequence that is good for 98 logins.
Displays the resulting S/KEY sequence for the specified user in a format similar to the skey.init utility under UNIX.
EXAMPLES
In this example, user "brown" has no privileges and is prompted first for his VMS password. The "New Password:" prompt requests a password that is only used with other MULTINET TOKEN SKEY commands. The password has no effect when logging in. After using this command, use the MULTINET TOKEN SKEY command to list the passwords needed to log into a system.
$ MULTINET TOKEN SKEY /INITIALIZE
%SECUREIP-E-SKEYNOTFOU, S/KEY not found for principal "brown"
Enter VMS Password: *****
%SECUREIP-I-SKEYINIT, S/KEY initialization for principal "brown"
New Password: *****
Verification: *****
%SECUREIP-S-INITIALIZED, S/KEY for principal "brown" initialized;
current challenge is "99 go34263"
$
$ MULTINET TOKEN SKEY /INITIALIZE SYSTEM
S/KEY initialization for principal "system"
New Password: *****
Verification: *****
S/KEY for principal "system" initialized; current challenge is "99 bi37243"
The following example demonstrates how to create a new S/KEY sequence when you are not logged into the MultiNet Secure/IP Server over a physically secure connection.
$ MULTINET TOKEN SKEY/INIT/NOPASSWORD
%SECUREIP-I-SKEYINIT, S/KEY initialization for principal "whorfin"
Challenge: s/key 99 bi301206
Response: ?
Enter results of ’s/key 99 bi301206’ using a new password
Challenge: s/key 99 bi301206
Response: MEW GARY ERIC LESK HART FOO
%SECUREIP-S-INITIALIZED, S/KEY for principal "whorfin" initialized; current challenge is "99 bi301206"
The following example demonstrates what happens if a user does not exist in the SYSUAF.
$ MULTINET TOKEN SKEY /INITIALIZE MAYA
Principal "maya" does not exist in local system authorization file
(SYSUAF.DAT)
Initialize S/KEY for principal "maya"? [N]: Y
S/KEY initialization for principal "maya"
New Password: *****
Verification: *****
S/KEY for principal "maya" initialized; current challenge is "99 ee42420"
Displays the next S/KEY sequence for the specified user. By default, MULTINET TOKEN SKEY /SHOW displays the current user’s S/KEY sequence. You must have SECURITY privilege to display another user’s S/KEY sequence.
FORMAT
MULTINET TOKEN SKEY /SHOW [username]
PARAMETER
username
Specifies the login name of a user. If you omit the user name, the seed and sequence values appear for the current user.
EXAMPLE
$ MULTINET TOKEN SKEY /SHOW
%SECUREIP-I-SKEYNEXT, current S/KEY challenge for principal "holmes" is "99 go48244"
Tests S/KEY authentication. By default, MULTINET TOKEN SKEY /TEST tests the current user’s S/KEY sequence. You must have SECURITY privilege to test another user’s S/KEY sequence.
FORMAT
MULTINET TOKEN SKEY /TEST [username]
PARAMETER
username
Specifies a user login name. If you omit the user name, the current user information is tested.
EXAMPLE
In this example, Alison tests her passwords by first using MULTINET SKEY to list a password sequence. She then uses MULTINET TOKEN SKEY /TEST to ensure the second sequence works.
$ MULTINET SKEY 99 go34263 /COUNT=3
Password: *****
97: FIVE FLUB DOVE MIRE ROSS HOE
98: TROT EASY ROME WING MOB RASH
99: CUR LIFE HIKE PET SEC BIRD
$ MULTINET TOKEN SKEY /TEST
S/KEY authentication for principal "alison"
Challenge: s/key 98 go34263
Response: TROT EASY ROME WING MOB RASH
Authentication successful
Erases the SNK key associated with the specified user from the user profile database. If you do not specify a user name, MULTINET TOKEN SNK /CLEAR clears the key for the current user. You must have SECURITY privilege to clear another user’s key. Users without privileges can erase their own SNK keys by successfully responding to a challenge from MULTINET TOKEN SNK
/CLEAR. Once erased, the token must be reprogrammed by the site security administrator.
FORMAT
MULTINET TOKEN SNK /CLEAR [username]
PARAMETER
username
Specifies the login name of a user. If you omit the user name, the current user information is cleared.
QUALIFIER
Specifies that a confirmation message is displayed after a key has been erased successfully from the user profile database. /LOG is the default. Specify /NOLOG to cancel the message.
EXAMPLE
$ MULTINET TOKEN SNK /CLEAR
%SECUREIP-S-KEYDELETED, SNK key for principal "holmes" deleted
Generates a random key, displays the programming sequence for the HP Pathways SecureNet (SNK) personal identification token, and stores the new key in the user profile database. If you do not specify a user name, a key for the current user is generated. You must have SECURITY privilege to generate a key for another user or to load the initial (first) key.
FORMAT
MULTINET TOKEN SNK /LOAD [username]
PARAMETER
username
Specifies the login name of a user. If you omit the user name, the current user information is initialized.
QUALIFIERS
Specifies that you are prompted for confirmation before a key is stored in the user profile database. /CONFIRM is the default. If username has already been initialized, a message appears to this effect, /CONFIRM is ignored, and you are prompted if you want to initialize this user. The following example shows this situation.
$ MULTINET TOKEN SNK /LOAD /VERBOSE SYSTEM
%SECUREIP-W-SNKKEYSET, SNK key for principal "system" already exists
Initialize SNK key for principal "system"? [N]: YES
Lets you program tokens with specific DES keys. des_key_list is a comma-separated list of eight numbers representing the DES key to be stored in the associated user record in the MultiNet Secure/IP Server user profile database (MULTINET_PROFILE.DATA). By default, MULTINET TOKEN SNK /LOAD generates a new random DES key.
Note! The first key must be the MultiNet Secure/IP key.
Displays a confirmation message after the key has been stored successfully in the user profile database.
{ [DECIMAL] }
/MODE= { [HEXADECIMAL] } [,ERASE]
Specifies the mode of operation for the SNK personal identification token. The SNK can be set to respond in either decimal or hexadecimal notation. Because the characters for "b" and "6" look similar, DECIMAL mode is preferred. However, DECIMAL mode is slightly less secure in that information is transformed internally in the token between two possible decimal values and the 16 possible hexadecimal values (0 to F).
The SNK can also be set to erase its memory after five incorrect PINs are entered. When NOERASE is specified, the SNK generates an invalid response when an incorrect PIN is used, but does not clear its memory. By default, MULTINET TOKEN SNK /LOAD sets the operating mode to (HEXADECIMAL,NOERASE).
Displays extended programming instructions for the HP Pathways’ SecureNet Key (SNK) personal identification token. By default, MULTINET TOKEN SNK /LOAD displays only minimal programming information.
EXAMPLES
1 $ MULTINET TOKEN SNK /LOAD /VERBOSE SYSTEM
%SECUREIP-W-SNKKEYSET, SNK key for principal "system" already exists
Initialize SNK key for principal "system"? [N]: YES
To clear the memory of an existing SNK key:
ON 3 ENT 00000000 ENT ON 3 ENT 00000000 ENT
To initialize the SNK key for principal "system":
|
Prompt |
Enter |
|
E0 |
1 ENT |
|
1 |
147 |
|
2 |
325 |
|
3 |
037 |
|
4 |
076 |
|
5 |
247 |
|
6 |
040 |
|
7 |
013 |
|
8 |
112 |
|
ENT | |
|
C A6dE33 |
ENT |
If "system" is present, they may choose their PIN now:
|
Prompt |
Enter |
|
E2 |
<pin> ENT (<pin> = 4-16 digit Personal ) Identification Number |
|
E3 |
<pin> ENT (<pin> = 4-16 digit Personal ) Identification Number |
|
EP |
Using the information in this example, initialize a PIN by following these steps:
1 Clear memory with the ON 3 ENT . . . key sequence shown at the top of the example. As you move through this sequence, the token displays information such as EP, Ed, and a response value. This information is displayed as memory is being cleared and can be ignored. Complete this sequence and press ENT.
2 E0 appears. Enter 1 and press ENT. The token displays E1.
3 Enter the values listed in the "Enter" column. As you enter each three-number set, the reference number listed in the "Prompt" column indicates which set of numbers was entered. After you have entered all the values, press ENT.
4 Ensure that the displayed Checksum value is correct. If the number is incorrect, press ON. The token prompts again for E0; return to Step 2.
5 Press ENT at the end of the New Key values. The token displays E2.
6 Enter the new PIN and press ENT. The token displays E3.
7 Enter the new PIN again and press ENT. The token displays EP.
Once you start a token initialization procedure, it cannot be stopped. If you make a mistake while entering New Key values, press ON to return to E0 (Step 2). If you make a mistake when entering a PIN at the E2 or E3 prompts, press ON to re-enter the value.
$ MULTINET TOKEN SNK /LOAD /CONFIRM SYSTEM
Initialize SNK key for principal "system"? [N]: YES
Clear: ON 3 ENT 00000000 ENT ON 3 ENT 00000000 ENT
Mode: 1
Key: 031 177 236 147 160 061 166 007
Checksum: dEC9E1
%SECUREIP-S-SNKLOADED, SNK key for principal "system" initialized
Note! You can give the token to the user when you reach the E2 prompt, but the user is then responsible for entering a PIN.
Tests the SNK programming by generating a random challenge and verifying the response. This sequence mimics that what you see when logging in remotely using the SNK authentication method.
FORMAT
MULTINET TOKEN SNK /TEST [username]
PARAMETER
username
Specifies a user’s login name. If you omit the user name, the current user’s information is tested.
EXAMPLE
$ MULTINET TOKEN SNK /TEST
SNK authentication for principal "holmes"
Challenge: 645-3152
Response: 6D665D62
Authentication successful
To test an SNK token, enter your PIN into the keypad and press ENT. When the Challenge prompt appears, enter the displayed number into the keypad and press ENT. Enter the generated number at the Response prompt. The response is not case-sensitive; you can enter hexadecimal letters in uppercase or lowercase interchangeably.
