'\" te
.\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
.\" Copyright 1989 AT&T
.TH chkey 1 "10 Dec 2009" "SunOS 5.11" "User Commands"
.SH NAME
chkey \- change user's secure RPC key pair
.SH SYNOPSIS
.LP
.nf
\fBchkey\fR [\fB-p\fR] [\fB-s\fR nis | files | ldap] 
     [\fB-m\fR \fI<mechanism>\fR]
.fi

.SH DESCRIPTION
.sp
.LP
\fBchkey\fR is used to change a user's secure \fBRPC\fR public key and secret key pair. \fBchkey\fR prompts for the old secure-rpc password and verifies that it is correct by decrypting the secret key. If the user has not already used \fBkeylogin\fR(1) to decrypt and store the secret key with \fBkeyserv\fR(1M), \fBchkey\fR registers the secret key with the local \fBkeyserv\fR(1M) daemon. If the secure-rpc password does not match the login password, \fBchkey\fR prompts for the login password. \fBchkey\fR uses the login password to encrypt the user's secret Diffie-Hellman (192 bit) cryptographic key. \fBchkey\fR can also encrypt other Diffie-Hellman keys for authentication mechanisms configured.
.sp
.LP
\fBchkey\fR ensures that the login password and the secure-rpc  password(s) are kept the same, thus enabling password shadowing. See \fBshadow\fR(4).
.sp
.LP
The key pair can be stored in the  \fB/etc/publickey\fR file (see \fBpublickey\fR(4)) or the \fBNIS\fR \fBpublickey\fR map. If a new secret key is generated, it will be registered with the local \fBkeyserv\fR(1M) daemon.
.sp
.LP
Keys for specific mechanisms can be changed or re-encrypted using the \fB-m\fR option followed by the authentication mechanism name. Multiple  \fB-m\fR options can be used to change one or more keys.
.sp
.LP
If the source of the  \fBpublickey\fR is not specified with the \fB-s\fR option,  \fBchkey\fR consults the  \fBpublickey\fR entry in the name service switch configuration file.  See \fBnsswitch.conf\fR(4). If the  \fBpublickey\fR entry specifies one and only one source, then \fBchkey\fR will change the key in the specified name service. However, if multiple name services are listed, \fBchkey\fR can not decide which source to update and will display an error message. The user should specify the source explicitly with the \fB-s\fR option.
.sp
.LP
Non root users are not allowed to change their key pair in the \fBfiles\fR database.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-p\fR\fR
.ad
.RS 18n
.rt  
Re-encrypt the existing secret key with the user's login password.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fBnis\fR\fR
.ad
.RS 18n
.rt  
Update the \fBNIS\fR database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fBfiles\fR\fR
.ad
.RS 18n
.rt  
Update the  \fBfiles\fR database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-s\fR \fBldap\fR\fR
.ad
.RS 18n
.rt  
Update the  LDAP database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-m\fR\fI <mechanism>\fR\fR
.ad
.RS 18n
.rt  
Changes or re-encrypt the secret key for the specified mechanism.
.RE

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/nsswitch.conf\fR\fR
.ad
.RS 22n
.rt  

.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/publickey\fR\fR
.ad
.RS 22n
.rt  

.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
.TE

.SH SEE ALSO
.sp
.LP
\fBkeylogin\fR(1), \fBkeylogout\fR(1), \fBkeyserv\fR(1M), \fBnewkey\fR(1M), \fBnsswitch.conf\fR(4), \fBpublickey\fR(4), \fBshadow\fR(4), \fBattributes\fR(5)