1) Added s/key support .

2  Added optional excessive login logging.
3) Added login acces control on a per host/tty base.
4) See skey(1) for skey descriptions and src/usr.bin/login/README
  for the logging and access control features.

-Guido

11 files changed, 696 insertions, 0 deletions

diff --git a/usr.bin/key/Makefile b/usr.bin/key/Makefile
new file mode 100644
index 0000000..b8553ab
--- /dev/null
+++ b/usr.bin/key/Makefile
@@ -0,0 +1,21 @@
+
+#	@(#)Makefile	5.6 (Berkeley) 3/5/91
+#
+
+PROG=	key
+MAN1=   key.1 skey.1
+CFLAGS+=-I${.CURDIR}/../../lib
+
+
+DPADD=	/usr/bin/libskey.a
+LDADD=	-lskey
+
+.if exists(/usr/lib/libcrypt.a)
+DPADD+= ${LIBCRYPT}
+LDADD+= -lcrypt
+.endif
+
+SRCS=	skey.c
+
+.include <bsd.prog.mk>
+
diff --git a/usr.bin/key/README.WZV b/usr.bin/key/README.WZV
new file mode 100644
index 0000000..a13f3b5
--- /dev/null
+++ b/usr.bin/key/README.WZV
@@ -0,0 +1,100 @@
+One of the nice things of S/Key is that it still leaves you the option
+to use regular UNIX passwords. In fact, the presence of S/Key support
+is completely invisible for a user until she has set up a password with
+the keyinit command. You can permit regular UNIX passwords for local
+logins, while at the same time insisting on S/Key passwords for logins
+from outside.
+
+ORIGIN
+
+These files are modified versions of the s/key files found on
+thumper.bellcore.com at 21 oct 1993. They have been fixed to
+run on top of SunOS 4.1.3 and Solaris 2.3.
+
+Installation is described at the end of this file.
+
+USAGE
+
+Use the keyinit command to set up a new series of s/key passwords.
+
+    wzv_6% keyinit
+    Updating wietse:
+    Old key: wz173500
+    Reminder - Only use this method if you are direct connected.
+    If you are using telnet or dial-in exit with no password and use keyinit -s.
+    Enter secret password: 
+    Again secret password: 
+
+    ID wietse s/key is 99 wz173501
+    BLAH BLA BLAH BLAH BLAH BLA
+
+Be sure to make your secret password sufficiently long. Try using a
+full sentence instead of just one single word.
+
+You will have to do a "keyinit" on every system that you want to login
+on using one-time passwords.
+
+Whenever you log into an s/key protected system you will see
+something like:
+
+    login: wietse
+    s/key 98 wz173501
+    Password:
+
+In this case you can either enter your regular UNIX password or
+your one-time s/key password. For example, I open a local window 
+to compute the password:
+
+    local% key 98 wz173501
+    Reminder - Do not use key while logged in via telnet or rlogin.
+    Enter secret password: 
+    BLAH BLA BLAH BLAH BLAH BLA
+
+The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password.
+
+If you have to type the one-time password in by hand, it is convenient
+to have echo turned on so that you can correct typing errors. Just type
+a newline at the "Password:" prompt:
+
+    login: wietse
+    s/key 98 wz173501
+    Password: (turning echo on)
+    Password:BLAH BLA BLAH BLAH BLAH BLA
+
+The 98 in the challenge will be 97 the next time, and so on. You'll get
+a warning when you are about to run out of s/key passwords, so that you
+will have to run the keyinit command again.
+
+Sometimes it is more practical to carry a piece of paper with a small
+series of one-time passwords. You can generate the list with:
+
+    % key -n 10 98 wz173501
+    98: BLAH BLA BLAH BLAH BLAH BLA
+    97: ... 
+    96: ...
+
+Be careful when printing material like this!
+
+INSTALLATION
+
+To install, do: make sunos4 (or whatever), then: make install.  
+
+The UNIX password is always permitted with non-network logins.  By
+default, UNIX passwords are always permitted (the Bellcore code by
+default disallows UNIX passwords but I think that is too painful).  In
+order to permit UNIX passwords only with logins from specific networks,
+create a file /etc/skey.access. For example,
+
+    # First word says if UNIX passwords are to be permitted or denied.
+    # remainder of the rule is a networknumber and mask. A rule matches a
+    # host if any of its addresses satisfies:
+    # 
+    #	network = (address & mask)
+    # 
+    #what	network		mask
+    permit	131.155.210.0	255.255.255.0
+    deny	0.0.0.0		0.0.0.0
+
+This particular example will permit UNIX passwords with logins from any
+host on network 131.155.210, but will insist on one-time passwords in
+all other cases.
diff --git a/usr.bin/key/key.1 b/usr.bin/key/key.1
new file mode 100644
index 0000000..d9da463
--- /dev/null
+++ b/usr.bin/key/key.1
@@ -0,0 +1,49 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)key.1	1.0 (Bellcore) 12/2/91
+.\"
+.lt 6.0i
+.TH KEY 1 "2 December 1991"
+.AT 3
+.SH NAME
+key \-  Stand\-alone program for computing responses to S/Key challenges.
+.SH SYNOPSIS
+.B key [\-n <count>] <Sequence> <key> 
+.SH DESCRIPTION
+.I key
+Takes the optional count  of the number of one time access 
+passwords to print
+along with a (maximum) sequence number and key as command line args, 
+it prompts for the user's secret password, and produces both word 
+and hex format responses.
+.SH EXAMPLE
+.sh
+  Usage example:
+.sp 0
+ 	>key \-n 5 99 th91334
+.sp 0
+ 	Enter password: <your secret password is entered here>
+.sp 0
+ 	OMEN US HORN OMIT BACK AHOY
+.sp 0
+	.... 4 more passwords.
+.sp 0
+ 	>
+.LP
+.SH OPTIONS
+.LP
+.B \-n <count>
+the number of one time access passwords to print.
+The default is one.
+.SH DIAGNOSTICS
+.SH BUGS
+.LP
+.SH SEE ALSO
+.BR skey(1),
+.BR keyinit(1),
+.BR keysu(1),
+.BR keyinfo(1)
+.SH AUTHOR
+Command by Phil Karn, Neil M. Haller, John S. Walden
+.SH CONTACT
+staff@thumper.bellcore.com
diff --git a/usr.bin/key/skey.1 b/usr.bin/key/skey.1
new file mode 100644
index 0000000..0a8b1b6
--- /dev/null
+++ b/usr.bin/key/skey.1
@@ -0,0 +1,59 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)skey.1	1.1 	10/28/93
+.\"
+.lt 6.0i
+.TH KEY 1 "28 October 1993"
+.AT 3
+.SH NAME
+S/key \-  A proceedure to use one time passwords for accessing computer systems.
+.SH DESCRIPTION
+.I S/key
+is a proceedure for using one time password to authenticate access to
+compter systems. It uses 64 bits of information transformed by the
+MD4 algorithm. The user supplies the 64 bits in the form of 6 English
+words that are generated by a secure computer.
+Example use of the S/key program 
+.I key
+.sp
+  Usage example:
+.sp 0
+ 	>key  99 th91334
+.sp 0
+ 	Enter password: <your secret password is intered here>
+.sp 0
+ 	OMEN US HORN OMIT BACK AHOY
+.sp 0
+ 	>
+.sp
+The programs that are part of the S/Key system are keyinit, key, and
+keyinfo. Keyinit is used to get your ID set up, key is
+used to get the one time password each time,
+keyinfo is used to extract information from the S/Key database.
+.sp
+When you run "keyinit" you inform the system of your
+secret password.  Running "key" then generates the
+one-time passwords, and also requires your secret
+password.  If however, you misspell your password
+while running "key", you will get a list of passwords
+that will not work, and no indication about the problem.
+.sp
+Password sequence numbers count backward from 99.  If you
+don't know this, the syntax for "key" will be confusing.
+.sp
+You can enter the passwords using small letters, even
+though the "key" program gives them in caps.
+.sp
+Macintosh and a general purpose PC use
+are available. 
+.sp
+Under FreeBSD, you can control, with /etc/skey.access, from which
+hosts and/or networks the use of S/Key passwords is obligated. 
+.LP
+.SH SEE ALSO
+.BR keyinit(1),
+.BR key(1),
+.BR keyinfo(1)
+.BR skey.access(5)
+.SH AUTHOR
+Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
diff --git a/usr.bin/key/skey.c b/usr.bin/key/skey.c
new file mode 100644
index 0000000..e025312
--- /dev/null
+++ b/usr.bin/key/skey.c
@@ -0,0 +1,128 @@
+/* Stand-alone program for computing responses to S/Key challenges.
+ * Takes the iteration count and seed as command line args, prompts
+ * for the user's key, and produces both word and hex format responses.
+ *
+ * Usage example:
+ *	>skey 88 ka9q2
+ *	Enter password:
+ *	OMEN US HORN OMIT BACK AHOY
+ *	C848 666B 6435 0A93
+ *	>
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef	__MSDOS__
+#include <dos.h>
+#else	/* Assume BSD unix */
+#include <fcntl.h>
+#endif
+#include "libskey/md4.h"
+#include "libskey/skey.h"
+
+char *readpass();
+void usage();
+int getopt();
+extern int optind;
+extern char *optarg;
+
+int
+main(argc,argv)
+int argc;
+char *argv[];
+{
+	int n,cnt,i;
+	char passwd[256],passwd2[256];
+	char key[8];
+	char *seed;
+	char buf[33];
+	char *slash;
+
+	cnt = 1;
+	while((i = getopt(argc,argv,"n:")) != EOF){
+		switch(i){
+		case 'n':
+			cnt = atoi(optarg);
+			break;
+		}
+	}
+	/* could be in the form <number>/<seed> */
+	if(argc <= optind + 1){
+		/*look for / in it */
+		if(argc <= optind){
+			usage(argv[0]);
+			return 1;
+		}
+
+		slash = strchr(argv[optind], '/');
+		if(slash == NULL){
+			usage(argv[0]);
+			return 1;
+		}
+		*slash++ = '\0';
+		seed = slash;
+
+		if((n = atoi(argv[optind])) < 0){
+			fprintf(stderr,"%s not positive\n",argv[optind]);
+			usage(argv[0]);
+			return 1;
+		}
+	}
+	else {
+
+		if((n = atoi(argv[optind])) < 0){
+			fprintf(stderr,"%s not positive\n",argv[optind]);
+			usage(argv[0]);
+			return 1;
+		}
+		seed = argv[++optind];
+	}
+	fprintf(stderr,"Reminder - Do not use this program while logged in via telnet or rlogin.\n");
+
+	/* Get user's secret password */
+	for(;;){
+		fprintf(stderr,"Enter secret password: ");
+		readpass(passwd,sizeof(passwd));
+		break;
+	/************
+		fprintf(stderr,"Again secret password: ");
+		readpass(passwd2,sizeof(passwd));
+		if(strcmp(passwd,passwd2) == 0) break;
+		fprintf(stderr, "Sorry no match\n");
+        **************/
+	
+	}
+
+	/* Crunch seed and password into starting key */
+	if(keycrunch(key,seed,passwd) != 0){
+		fprintf(stderr,"%s: key crunch failed\n",argv[0]);
+		return 1;
+	}
+	if(cnt == 1){
+		while(n-- != 0)
+			f(key);
+		printf("%s\n",btoe(buf,key));
+#ifdef	HEXIN
+		printf("%s\n",put8(buf,key));
+#endif
+	} else {
+		for(i=0;i<=n-cnt;i++)
+			f(key);
+		for(;i<=n;i++){
+#ifdef	HEXIN
+			printf("%d: %-29s  %s\n",i,btoe(buf,key),put8(buf,key));
+#else
+			printf("%d: %-29s\n",i,btoe(buf,key));
+#endif
+			f(key);		
+		}
+	}
+	return 0;
+}
+void
+usage(s)
+char *s;
+{
+	fprintf(stderr,"Usage: %s [-n count] <sequence #>[/] <key> \n",s);
+}
+
diff --git a/usr.bin/keyinfo/Makefile b/usr.bin/keyinfo/Makefile
new file mode 100644
index 0000000..41baee6
--- /dev/null
+++ b/usr.bin/keyinfo/Makefile
@@ -0,0 +1,9 @@
+#	@(#)Makefile	5.5 (Berkeley) 7/1/90
+
+MAN1=	keyinfo.1
+
+beforeinstall:
+	install -c -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
+	    ${.CURDIR}/keyinfo.sh ${DESTDIR}${BINDIR}/keyinfo
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/keyinfo/keyinfo.1 b/usr.bin/keyinfo/keyinfo.1
new file mode 100644
index 0000000..b12aa96
--- /dev/null
+++ b/usr.bin/keyinfo/keyinfo.1
@@ -0,0 +1,40 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)keyinfo.1	1.1 (Bellcore) 7/20/93
+.\"
+.lt 6.0i
+.TH KEYINFO 1 "20 July 1993"
+.AT 3
+.SH NAME
+keyinfo \-  display current S/Key sequence number and seed
+.SH SYNOPSIS
+.B keyinfo [username]
+.SH DESCRIPTION
+.I keyinfo
+takes an optional user name and displays the user\'s current sequence
+number and seed found in the S/Key database /etc/skeykeys.
+.sp 1
+The command can be useful when generating a list of passwords for use
+on a field trip, by combining with the command
+.I key
+in the form:
+.sp
+    >key \-n  <number of passwords to print> `keyinfo`|lpr
+.SH EXAMPLE
+.sh
+Usage example:
+.sp 0
+    >keyinfo
+.sp 0
+    0098 ws91340
+.LP
+.SH ARGUMENTS
+.TP
+.B username
+The S/key user to display the information for.  The default is 
+to display S/Key information on the user who invokes the command.
+.SH SEE ALSO
+.BR keyinit(1),
+.BR key(1)
+.SH AUTHOR
+Command by Phil Karn, Neil M. Haller, John S. Walden
diff --git a/usr.bin/keyinfo/keyinfo.sh b/usr.bin/keyinfo/keyinfo.sh
new file mode 100644
index 0000000..5879442
--- /dev/null
+++ b/usr.bin/keyinfo/keyinfo.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+# search /etc/skeykeys for the skey string for this user OR user specified
+# in 1st parameter
+
+PATH=/bin:/usr/bin
+
+test -f /etc/skeykeys && {
+	WHO=${1-`id | sed 's/^[^(]*(\([^)]*\).*/\1/'`}
+	awk '/^'${WHO}'[ 	]/ { print $2-1, $3 }' /etc/skeykeys
+}
diff --git a/usr.bin/keyinit/Makefile b/usr.bin/keyinit/Makefile
new file mode 100644
index 0000000..4c44d30
--- /dev/null
+++ b/usr.bin/keyinit/Makefile
@@ -0,0 +1,21 @@
+
+#	@(#)Makefile	5.6 (Berkeley) 3/5/91
+#
+
+PROG=	keyinit
+MAN1=   keyinit.1
+CFLAGS+=-I${.CURDIR}/../../lib
+DPADD=	/usr/bin/libskey.a
+LDADD=	-lskey
+
+.if exists(/usr/lib/libcrypt.a)
+DPADD+= ${LIBCRYPT}
+LDADD+= -lcrypt
+.endif
+
+SRCS=	skeyinit.c
+
+BINOWN=	root
+BINMODE=4555
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/keyinit/keyinit.1 b/usr.bin/keyinit/keyinit.1
new file mode 100644
index 0000000..2fe2d03
--- /dev/null
+++ b/usr.bin/keyinit/keyinit.1
@@ -0,0 +1,64 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)keyinit.1	1.0 (Bellcore) 7/20/93
+.\"
+.lt 6.0i
+.TH KEYINIT 1 "20 July 1993"
+.AT 3
+.SH NAME
+keyinit \-  Change password or add user to S/Key authentication system.
+.SH SYNOPSIS
+.B keyinit [\-s]   [<user ID >] 
+.SH DESCRIPTION
+.I keyinit
+initializes the system so you can use S/Key one-time passwords to
+login.  The program will ask you to enter a secret pass phrase; enter a
+phrase of several words in response. After the S/Key database has been
+updated you can login using either your regular UNIX password or using
+S/Key one-time passwords. 
+.PP
+When logging in from another machine you can avoid typing a real
+password over the network, by typing your S/Key pass phrase to the
+\fIkey\fR command on the local machine:  the program will respond with
+the one-time password that you should use to log into the remote
+machine.  This is most conveniently done with cut-and-paste operations
+using a mouse.  Alternatively, you can pre-compute one-time passwords
+using the \fIkey\fR command and carry them with you on a piece of paper.
+.PP
+\fIkeyinit\fR requires you to type your secret password, so it should
+be used only on a secure terminal. For example, on the console of a
+workstation. If you are using \fIkeyinit\fR while logged in over an
+untrusted network, follow the instructions given below with the \-s
+option.
+.SH OPTIONS
+.IP \-s
+Set secure mode where the user is expected to have used a secure
+machine to generate the first one time password.  Without the \-s the
+system will assume you are direct connected over secure communications
+and prompt you for your secret password.
+The \-s option also allows one to set the seed and count for complete
+control of the parameters.  You can use keyinit -s in compination with
+the 
+.I key
+command to set the seed and count if you do not like the defaults.
+To do this run keyinit in one window and put in your count and seed
+then run key in another window to generate the correct 6 english words
+for that count and seed. You can then
+"cut" and "paste" them or copy them into the keyinit window.
+.sp
+.LP
+.B <user ID>
+the ID for the user to be changed/added
+.SH DIAGNOSTICS
+.SH FILES
+.TP
+/etc/skeykeys data base of information for S/Key system.
+.SH BUGS
+.LP
+.SH SEE ALSO
+.BR skey(1),
+.BR key(1),
+.BR keysu(1),
+.BR keyinfo(1)
+.SH AUTHOR
+Command by Phil Karn, Neil M. Haller, John S. Walden
diff --git a/usr.bin/keyinit/skeyinit.c b/usr.bin/keyinit/skeyinit.c
new file mode 100644
index 0000000..d13bd6b
--- /dev/null
+++ b/usr.bin/keyinit/skeyinit.c
@@ -0,0 +1,195 @@
+/*   change password or add user to S/KEY authentication system.
+ *   S/KEY is a tradmark of Bellcore  */
+
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include "libskey/skey.h"
+#include <stdio.h>
+#include <time.h>
+
+extern int optind;
+extern char *optarg;
+
+char * readpass();
+
+int skeylookup __ARGS((struct skey *mp,char *name));
+
+#define NAMELEN 2
+int
+main(argc,argv)
+int argc;
+char *argv[];
+{
+	struct skey skey;
+	int rval,n,nn,i,defaultsetup;
+	char seed[18],tmp[80],key[8];
+	struct passwd *ppuser,*pp;
+	char defaultseed[17], passwd[256],passwd2[256] ;
+
+
+	time_t now;
+	struct tm *tm;
+	char tbuf[27],buf[60];
+	char lastc, me[80];
+	int l;
+
+	time(&now);
+#if 0	/* Choose a more random seed */
+	tm = localtime(&now);
+	strftime(tbuf, sizeof(tbuf), "%M%j", tm);
+#else
+	sprintf(tbuf, "%05ld", (long) (now % 100000));
+#endif
+	gethostname(defaultseed,NAMELEN);
+	strcpy(&defaultseed[NAMELEN],tbuf);
+
+	pp = ppuser = getpwuid(getuid());
+	strcpy(me,pp->pw_name);
+	defaultsetup = 1;
+	if( argc > 1){
+		if(strcmp("-s", argv[1]) == 0)
+			defaultsetup = 0;
+		else
+			pp = getpwnam(argv[1]);
+		if(argc > 2)
+			pp = getpwnam(argv[2]);
+
+	}
+	if(pp == NULL){
+		printf("User unknown\n");
+		return 1;
+	}
+	if(strcmp( pp->pw_name,me) != 0){
+		if(getuid() != 0){
+			/* Only root can change other's passwds */
+			printf("Permission denied.\n");
+			return(1);
+		}
+	}
+
+
+
+	rval = skeylookup(&skey,pp->pw_name);
+	switch(rval){
+	case -1:
+		perror("error in opening database");
+		return 1;
+	case 0:
+		printf("Updating %s:\n",pp->pw_name);
+		printf("Old key: %s\n",skey.seed);
+		/* lets be nice if they have a skey.seed that ends in 0-8 just add one*/
+		l = strlen(skey.seed);
+		if( l > 0){
+			lastc = skey.seed[l-1];
+			if( isdigit(lastc) && lastc != '9' ){
+				strcpy(defaultseed, skey.seed);
+				defaultseed[l-1] = lastc + 1;
+			}
+			if( isdigit(lastc) && lastc == '9' && l < 16){
+				strcpy(defaultseed, skey.seed);
+				defaultseed[l-1] = '0';
+				defaultseed[l] = '0';
+				defaultseed[l+1] = '\0';
+			}
+		}
+		break;
+	case 1:
+		skey.val = 0;	/* XXX */
+		printf("Adding %s:\n",pp->pw_name);
+		break;
+	}
+    n = 99;
+    if( ! defaultsetup){
+	printf("Reminder you need the 6 english words from the skey command.\n");
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		printf("Enter sequence count from 1 to 10000: ");
+		fgets(tmp,sizeof(tmp),stdin);
+		n = atoi(tmp);
+		if(n > 0 && n < 10000)
+			break;	/* Valid range */
+		printf("Count must be > 0 and < 10000\n");
+	}
+    }
+    if( !defaultsetup){
+	printf("Enter new key [default %s]: ", defaultseed);
+	fflush(stdout);
+	fgets(seed,sizeof(seed),stdin);
+	rip(seed);
+	if(strlen(seed) > 16){
+		printf("Seed truncated to 16 chars\n");
+		seed[16] = '\0';
+	}
+	if( seed[0] == '\0') strcpy(seed,defaultseed);
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		printf("s/key %d %s\ns/key access password: ",n,seed);
+		fgets(tmp,sizeof(tmp),stdin);
+		rip(tmp);
+		backspace(tmp);
+		if(tmp[0] == '?'){
+			printf("Enter 6 English words from secure S/Key calculation.\n");
+			continue;
+		}
+		if(tmp[0] == '\0'){
+			exit(1);
+		}
+		if(etob(key,tmp) == 1 || atob8(key,tmp) == 0)
+			break;	/* Valid format */
+		printf("Invalid format, try again with 6 English words.\n");
+	}
+    } else {
+	/* Get user's secret password */
+	fprintf(stderr,"Reminder - Only use this method if you are directly connected.\n");
+	fprintf(stderr,"If you are using telnet or rlogin exit with no password and use keyinit -s.\n");
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		fprintf(stderr,"Enter secret password: ");
+		readpass(passwd,sizeof(passwd));
+		if(passwd[0] == '\0'){
+			exit(1);
+		}
+		fprintf(stderr,"Again secret password: ");
+		readpass(passwd2,sizeof(passwd));
+		if(passwd2[0] == '\0'){
+			exit(1);
+		}
+		if(strlen(passwd) < 4 && strlen(passwd2) < 4) {
+			fprintf(stderr, "Sorry your password must be longer\n\r");
+			exit(1);
+		}
+		if(strcmp(passwd,passwd2) == 0) break;
+		fprintf(stderr, "Sorry no match\n");
+		
+	
+	}
+	strcpy(seed,defaultseed);
+
+	/* Crunch seed and password into starting key */
+	if(keycrunch(key,seed,passwd) != 0){
+		fprintf(stderr,"%s: key crunch failed\n",argv[0]);
+		return 1;
+	}
+	nn = n;
+	while(nn-- != 0)
+		f(key);
+    }
+	time(&now);
+	tm = localtime(&now);
+	strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
+        if (skey.val == NULL)
+                  skey.val = (char *) malloc(16+1);
+
+
+	btoa8(skey.val,key);
+	fprintf(skey.keyfile,"%s %04d %-16s %s %-21s\n",pp->pw_name,n,
+		seed,skey.val, tbuf);
+	fclose(skey.keyfile);
+	printf("\nID %s s/key is %d %s\n",pp->pw_name,n,seed);
+	printf("%s\n",btoe(buf,key));
+#ifdef HEXIN
+	printf("%s\n",put8(buf,key));
+#endif
+	return 0;
+}