Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SKEY.ACCESS(5)            FreeBSD File Formats Manual           SKEY.ACCESS(5)

NAME
     skey.access -- S/Key password control table

DESCRIPTION
     The S/Key password control table (/etc/skey.access) is used by login-like
     programs to determine when UNIX passwords may be used to access the sys-
     tem.

     +o   When the table does not exist, there are no password restrictions.
         The user may enter the UNIX password or the S/Key one.

     +o   When the table does exist, UNIX passwords are permitted only when
         explicitly specified.

     +o   For the sake of sanity, UNIX passwords are always permitted on the
         systems console.

TABLE FORMAT
     The format of the table is one rule per line.  Rules are matched in
     order.  The search terminates when the first matching rule is found, or
     when the end of the table is reached.

     Rules have the form:

           permit condition condition ...
           deny condition condition ...

     where permit and deny may be followed by zero or more conditions.  Com-
     ments begin with a `#' character, and extend through the end of the line.
     Empty lines or lines with only comments are ignored.

     A rule is matched when all conditions are satisfied.  A rule without con-
     ditions is always satisfied.  For example, the last entry could be a line
     with just the word deny on it.

CONDITIONS
     hostname wzv.win.tue.nl
             True when the login comes from host wzv.win.tue.nl.  See the
             WARNINGS section below.

     internet 131.155.210.0 255.255.255.0
             True when the remote host has an internet address in network
             131.155.210.  The general form of a net/mask rule is:

                   internet net mask

             The expression is true when the host has an internet address for
             which the bitwise and of address and mask equals net.  See the
             WARNINGS section below.

     port ttya
             True when the login terminal is equal to /dev/ttya.  Remember
             that UNIX passwords are always permitted with logins on the sys-
             tem console.

     user uucp
             True when the user attempts to log in as uucp.

     group wheel
             True when the user attempts to log in as a member of the wheel
             group.

COMPATIBILITY
     For the sake of backwards compatibility, the internet keyword may be
     omitted from net/mask patterns.

WARNINGS
     When the S/Key control table (/etc/skey.access) exists, users without
     S/Key passwords will be able to login only where its rules allow the use
     of UNIX passwords.  In particular, this means that an invocation of
     login(1) in a pseudo-tty (e.g. from within xterm(1) or screen(1) will be
     treated as a login that is neither from the console nor from the network,
     mandating the use of an S/Key password.  Such an invocation of login(1)
     will necessarily fail for those users who do not have an S/Key password.

     Several rule types depend on host name or address information obtained
     through the network.  What follows is a list of conceivable attacks to
     force the system to permit UNIX passwords.

   Host address spoofing (source routing)
     An intruder configures a local interface to an address in a trusted net-
     work and connects to the victim using that source address.  Given the
     wrong client address, the victim draws the wrong conclusion from rules
     based on host addresses or from rules based on host names derived from
     addresses.

     Remedies:

     1.   do not permit UNIX passwords with network logins;

     2.   use network software that discards source routing information (e.g.
          a tcp wrapper).

     Almost every network server must look up the client host name using the
     client network address.  The next obvious attack therefore is:

   Host name spoofing (bad PTR record)
     An intruder manipulates the name server system so that the client network
     address resolves to the name of a trusted host.  Given the wrong host
     name, the victim draws the wrong conclusion from rules based on host
     names, or from rules based on addresses derived from host names.

     Remedies:

     1.   do not permit UNIX passwords with network logins;

     2.   use network software that verifies that the hostname resolves to the
          client network address (e.g. a tcp wrapper).

     Some applications, such as the UNIX login(1) program, must look up the
     client network address using the client host name.  In addition to the
     previous two attacks, this opens up yet another possibility:

   Host address spoofing (extra A record)
     An intruder manipulates the name server system so that the client host
     name (also) resolves to a trusted address.

     Remedies:

     1.   do not permit UNIX passwords with network logins;

     2.   the skeyaccess() routines ignore network addresses that appear to
          belong to someone else.

DIAGNOSTICS
     Syntax errors are reported to the syslogd(8).  When an error is found the
     rule is skipped.

FILES
     /etc/skey.access  password control table

SEE ALSO
     login(1), syslogd(8)

AUTHORS
     Wietse Venema, Eindhoven University of Technology, The Netherlands.

FreeBSD 4.10                   January 12, 2001                   FreeBSD 4.10

NAME | DESCRIPTION | TABLE FORMAT | CONDITIONS | COMPATIBILITY | WARNINGS | DIAGNOSTICS | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=skey.access&sektion=5&manpath=FreeBSD+4.10-RELEASE>

home | help