该chkey会命令更改用户的安全RPC公钥和密钥对。chkey提示输入旧的secure-rpc密码,并通过解密密钥来验证它是否正确。如果用户尚未使用keylogin解密和使用keyserv存储密钥,则chkey将密钥注册到本地keyserv 守护进程。如果secure-rpc密码与登录密码不匹配,则chkey提示输入登录密码。然后chkey使用登录密码来加密用户的Diffie -Hellman 秘密密钥(192位)。chkey还可为使用nisauthconf配置的身份验证机制加密其他Diffie-Hellman密钥。
chkey确保登录密码和secure-rpc密码(或多个密码)保持相同,从而启用密码屏蔽。
密钥对可以存储在/ etc / publickey文件,NIS公共密钥映射或NIS + cred.org_dir表中。如果生成了新的密钥,它将在本地keyserv守护程序中注册。但是,只有NIS +可以存储192位以外的Diffie-Hellman密钥。
可以使用-m选项和认证机制名称来更改或重新加密特定机制的密钥。多个-m选项可用于更改一个或多个键。但是,只能使用chkey更改使用nisauthconf配置的机制。
如果未使用-s选项指定公共密钥的源,则chkey会查询名称服务交换机配置文件(nsswitch.conf)中的公共密钥条目。如果publickey条目仅指定一个来源,则chkey将更改指定名称服务中的密钥。但是,如果列出了多个名称服务,则chkey无法确定要更新的源并显示错误消息。用户应使用-s选项显式指定源。
非root用户不允许在文件数据库中更改其密钥对。
The chkey command changes a user's secure RPC public key and secret key pair. chkey prompts for the old secure-rpc password and verifies that it is correct by decrypting the secret key. If the user has not already used keylogin to decrypt and store the secret key with keyserv, chkey registers the secret key with the local keyserv daemon. If the secure-rpc password does not match the login password, chkey prompts for the login password. chkey then uses the login password to encrypt the user's secret Diffie-Hellman (192 bit) cryptographic key. chkey can also encrypt other Diffie-Hellman keys for authentication mechanisms configured using nisauthconf.
chkey ensures that the login password and the secure-rpc password (or passwords) are kept the same, thus enabling password shadowing.
The key pair can be stored in the /etc/publickey file, the NIS publickey map, or the NIS+ cred.org_dir table. If a new secret key is generated, it will be registered with the local keyserv daemon. However, only NIS+ can store Diffie-Hellman keys other than 192-bits.
Keys for specific mechanisms can be changed or reencrypted using the -m option followed by the authentication mechanism name. Multiple -m options can be used to change one or more keys. However, only mechanisms configured using nisauthconf can be changed with chkey.
If the source of the publickey is not specified with the -s option, chkey consults the publickey entry in the name service switch configuration file (nsswitch.conf). If the publickey entry specifies one and only one source, then chkey will change the key in the specified name service. However, if multiple name services are listed, chkey can not decide which source to update and displays an error message. The user should specify the source explicitly with the -s option.
Non-root users are not allowed to change their key pair in the files database.