1chkey(1) User Commands chkey(1)
2
6 chkey - change user's secure RPC key pair
7
9 chkey [-p] [-s nisplus | nis | files | ldap]
10 [-m <mechanism>]
11
14 chkey is used to change a user's secure RPC public key and secret key
15 pair. chkey prompts for the old secure-rpc password and verifies that
16 it is correct by decrypting the secret key. If the user has not already
17 used keylogin(1) to decrypt and store the secret key with keyserv(1M),
18 chkey registers the secret key with the local keyserv(1M) daemon. If
19 the secure-rpc password does not match the login password, chkey
20 prompts for the login password. chkey uses the login password to
21 encrypt the user's secret Diffie-Hellman (192 bit) cryptographic key.
22 chkey can also encrypt other Diffie-Hellman keys for authentication
23 mechanisms configured using nisauthconf(1M).
24 chkey ensures that the login password and the secure-rpc password(s)
27 are kept the same, thus enabling password shadowing. See shadow(4).
28 The key pair can be stored in the /etc/publickey file (see pub‐
31 lickey(4)), the NIS publickey map, or the NIS+ cred.org_dir table. If a
32 new secret key is generated, it will be registered with the local key‐
33 serv(1M) daemon. However, only NIS+ can store Diffie-Hellman keys other
34 than 192-bits.
35 Keys for specific mechanisms can be changed or reencrypted using the -m
38 option followed by the authentication mechanism name. Multiple -m
39 options can be used to change one or more keys. However, only mecha‐
40 nisms configured using nisauthconf(1M) can be changed with chkey.
41 If the source of the publickey is not specified with the -s option,
44 chkey consults the publickey entry in the name service switch configu‐
45 ration file. See nsswitch.conf(4). If the publickey entry specifies
46 one and only one source, then chkey will change the key in the speci‐
47 fied name service. However, if multiple name services are listed, chkey
48 can not decide which source to update and will display an error mes‐
49 sage. The user should specify the source explicitly with the -s option.
50 Non root users are not allowed to change their key pair in the files
53 database.
54
56 The following options are supported:
57 -p Re-encrypt the existing secret key with the user's
59 login password.
60 -s nisplus Update the NIS+ database.
63 -s nis Update the NIS database.
66 -s files Update the files database.
69 -s ldap Update the LDAP database.
72 -m <mechanism> Changes or re-encrypt the secret key for the speci‐
75 fied mechanism.
76
79 /etc/nsswitch.conf
80 /etc/publickey
83
86 See attributes(5) for descriptions of the following attributes:
87 ┌─────────────────────────────┬─────────────────────────────┐
92 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
93 ├─────────────────────────────┼─────────────────────────────┤
94 │Availability │SUNWcsu │
95 └─────────────────────────────┴─────────────────────────────┘
96
98 keylogin(1), keylogout(1), keyserv(1M), newkey(1M), nisaddcred(1M),
99 nisauthconf(1M), nsswitch.conf(4), publickey(4), shadow(4),
100 attributes(5)
101
103 NIS+ might not be supported in future releases of the Solaris operating
104 system. Tools to aid the migration from NIS+ to LDAP are available in
105 the current Solaris release. For more information, visit
106 http://www.sun.com/directory/nisplus/transition.html.
107SunOS 5.11 29 Nov 2005 chkey(1)