Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SKEY.ACCESS(5)		    BSD	File Formats Manual		SKEY.ACCESS(5)

NAME
     skey.access -- S/Key password control table

DESCRIPTION
     The S/Key password	control	table (/etc/skey.access) is used by login-like
     programs to determine when	UNIX passwords may be used to access the sys-
     tem.

     +o	 When the table	does not exist,	there are no password restrictions.
	 The user may enter the	UNIX password or the S/Key one.

     +o	 When the table	does exist, UNIX passwords are permitted only when ex-
	 plicitly specified.

     +o	 For the sake of sanity, UNIX passwords	are always permitted on	the
	 systems console.

TABLE FORMAT
     The format	of the table is	one rule per line.  Rules are matched in or-
     der.  The search terminates when the first	matching rule is found,	or
     when the end of the table is reached.

     Rules have	the form:

	   permit condition condition ...
	   deny	condition condition ...

     where permit and deny may be followed by zero or more conditions.	Com-
     ments begin with a	`#' character, and extend through the end of the line.
     Empty lines or lines with only comments are ignored.

     A rule is matched when all	conditions are satisfied.  A rule without con-
     ditions is	always satisfied.  For example,	the last entry could be	a line
     with just the word	deny on	it.

CONDITIONS
     hostname wzv.win.tue.nl
	     True when the login comes from host wzv.win.tue.nl.  See the
	     WARNINGS section below.

     internet 131.155.210.0 255.255.255.0
	     True when the remote host has an internet address in network
	     131.155.210.  The general form of a net/mask rule is:

		   internet net	mask

	     The expression is true when the host has an internet address for
	     which the bitwise and of address and mask equals net.  See	the
	     WARNINGS section below.

     port ttya
	     True when the login terminal is equal to /dev/ttya.  Remember
	     that UNIX passwords are always permitted with logins on the sys-
	     tem console.

     user uucp
	     True when the user	attempts to log	in as uucp.

     group wheel
	     True when the user	attempts to log	in as a	member of the wheel
	     group.

COMPATIBILITY
     For the sake of backwards compatibility, the internet keyword may be
     omitted from net/mask patterns.

WARNINGS
     When the S/Key control table (/etc/skey.access) exists, users without
     S/Key passwords will be able to login only	where its rules	allow the use
     of	UNIX passwords.	 In particular,	this means that	an invocation of
     login(1) in a pseudo-tty (e.g. from within	xterm(1) or screen(1) will be
     treated as	a login	that is	neither	from the console nor from the network,
     mandating the use of an S/Key password.  Such an invocation of login(1)
     will necessarily fail for those users who do not have an S/Key password.

     Several rule types	depend on host name or address information obtained
     through the network.  What	follows	is a list of conceivable attacks to
     force the system to permit	UNIX passwords.

   Host	address	spoofing (source routing)
     An	intruder configures a local interface to an address in a trusted net-
     work and connects to the victim using that	source address.	 Given the
     wrong client address, the victim draws the	wrong conclusion from rules
     based on host addresses or	from rules based on host names derived from
     addresses.

     Remedies:

     1.	  do not permit	UNIX passwords with network logins;

     2.	  use network software that discards source routing information	(e.g.
	  a tcp	wrapper).

     Almost every network server must look up the client host name using the
     client network address.  The next obvious attack therefore	is:

   Host	name spoofing (bad PTR record)
     An	intruder manipulates the name server system so that the	client network
     address resolves to the name of a trusted host.  Given the	wrong host
     name, the victim draws the	wrong conclusion from rules based on host
     names, or from rules based	on addresses derived from host names.

     Remedies:

     1.	  do not permit	UNIX passwords with network logins;

     2.	  use network software that verifies that the hostname resolves	to the
	  client network address (e.g. a tcp wrapper).

     Some applications,	such as	the UNIX login(1) program, must	look up	the
     client network address using the client host name.	 In addition to	the
     previous two attacks, this	opens up yet another possibility:

   Host	address	spoofing (extra	A record)
     An	intruder manipulates the name server system so that the	client host
     name (also) resolves to a trusted address.

     Remedies:

     1.	  do not permit	UNIX passwords with network logins;

     2.	  the skeyaccess() routines ignore network addresses that appear to
	  belong to someone else.

DIAGNOSTICS
     Syntax errors are reported	to the syslogd(8).  When an error is found the
     rule is skipped.

FILES
     /etc/skey.access  password	control	table

SEE ALSO
     login(1), syslogd(8)

AUTHORS
     Wietse Venema, Eindhoven University of Technology,	The Netherlands.

BSD			       January 12, 2001				   BSD

NAME | DESCRIPTION | TABLE FORMAT | CONDITIONS | COMPATIBILITY | WARNINGS | DIAGNOSTICS | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=skey.access&sektion=5&manpath=FreeBSD+4.8-RELEASE>

home | help