Note: 

The -d directory specifies an alternate directory to store or retrieve localID information. The default directory is /etc/skip/localid. (This option applies to all the subcommands below.)

-a [-T slot type] [-t cert type] [-n nsid] [-Z secretfile] [-c certfile]

The add command is used to add local identities to the trusted Certificate Authority database. All parameters above are required. -T specifies the type of slot. Currently, only soft, for a software slot, is implemented. -t specifies a certificate type. Currently, X.509 and UDH are implemented. -n specifies the name space in which the certificate's name lives. -Z specifies the file containing the Diffie-Hellman private key. -c specifies the certificate used to establish identity.

When a local ID is added, the certificate is checked for validity. Therefore, the local certificate's CA must have been previously added to the CA database with the skipca command. 

If a password has been assigned for encryption of secrets using the skiplocal passwd subcommand, the user will be prompted for that password prior to adding any local ids. 

-R

The rmpasswd subcommand removes the password which is used to encrypt locally stored secrets. The user is prompted for the old password, and if it matches, all secrets are decrypted and stored and the password feature is disabled.

-x [-s slot] [-n nsid]

Creates an "exportable" skiphost command line which could be used to add an access control entry for the local host on a remote system (that is, in the remote /etc/skip/acl.interface file).

By default, -x will choose first slot in the local identity database. A slot may be specified with the -s option. If the -n option is provided, the first slot with an identity in the given namespace will be used.

An attempt is made to determine the local hostname for inclusion in the generated skiphost command. This hostname may be overridden by setting the SKIPLOCAL_EXPORT_HOST environment variable.

The default arguments provided for skiphost specify DES for key and traffic encryption, and MD5 for authentication. These arguments may be overridden setting the environment variable SKIPLOCAL_EXPORT_ARGS.

-r [-v] [-s slot-number]

Deletes the LocalID in the specified slot number. The control, secret and certificate files are all deleted. 

-l [-Vv] [-s slot-number]

The list command lists the local ids present on the system. By default, slot number, slot type, NSID, MKID (name) and validity periods are printed. The -v options specifies that the local certificate for that slot should be printed, as well. -V produces output more easily machine parseable.

-k [-m mod_size] [-E exponent_size] [-L lifetime] [-f] [-V] [-M]

Generate a new secret key and a UDH (unsigned) certificate and adds them as a new slot to the set of local identities. -V produces output more easily machine parseable.

The -m option specifies the modulus size in bits. Modulus sizes of 512, 1024, 2048, and 4096 bits are supported in the US domestic release. The highest number of bits allowed by the export control limitations of the software is the default. The -L option specifies the lifetime of the UDH certificate, in days. The default is 5 years. The -f option suppresses the prompt for keyboard input to obtain better random numbers.

The -E option specifies how large of a random exponent will be generated. The default is 256 bits. The -M option simply reports the modulus of the key that would have been generated. (No key is actually generated.)

If a password has been assigned for encryption of secrets using the skiplocal passwd subcommand, the user will be prompted for that password prior to adding any local IDs.

-e [-s slotnumber]

The extract command writes the certificate in the specified slot number to the standard output. If the output is redirected to a file, the file is suitable for the skipdb command.

-i [-qo]

Prior to use, the local ID database must be initialized. The init command creates the database. By default, if the database exists, the init command will not delete any of the Local Identities present. The user may force reinitialization the database and destruction of all identities by specifying the -o option. -q tells init to be as quiet as possible about initialization.

-P

Assigns or changes the password which is used to encrypt locally stored secrets. If no password as present, you will be prompted for a new one. If a password already exists, you will be prompted for the old password prior to the new one.