[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
nifty control over S/Key usage
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: nifty control over S/Key usage
- From: Matthew Patton <patton_(_at_)_sysnet_(_dot_)_net>
- Date: Thu, 2 Jul 1998 00:47:44 -0400
- Delivery-date: Thu Jul 2 21:43:09 1998
FreeBSD has this nifty file /etc/skey.access which influences login's
behavior. I didn't see it mentioned in the OpenBSD docs. Anyone interested?
The configuration file /etc/skey.access can be used to configure
restrictions on the use of UNIX passwords based
on the host name, user name, terminal port, or IP address of a login
session. The complete format of the file is
documented in the skey.access(5) manual page; there are also some security
cautions there which should be read
before depending on this file for security.
If there is no /etc/skey.access file (which is the default state as FreeBSD
is shipped), then all users will be
allowed to use UNIX passwords. If the file exists, however, then all users
will be required to use S/Key unless
explicitly permitted to do otherwise by configuration statements in the
skey.access file. In all cases, UNIX
passwords are permitted on the console.
Here is a sample configuration file which illustrates the three most common
sorts of configuration statements:
permit internet 126.96.36.199 255.255.0.0
permit user jrl
permit port ttyd0
The first line (`permit internet') allows users whose IP source address
(which is vulnerable to spoofing) matches
the specified value and mask, to use UNIX passwords. This should not be
considered a security mechanism, but
rather, a means to remind authorized users that they are using an insecure
network and need to use S/Key for
The second line (`permit user') allows the specified user to use UNIX
passwords at any time. Generally speaking,
this should only be used for people who are either unable to use the `key'
program, like those with dumb terminals,
or those who are uneducable.
The third line (`permit port') allows all users logging in on the specified
terminal line to use UNIX passwords; this
would be used for dial-ups.
It is by caffeine alone I set my mind in motion, it is by the beans of Java
that thoughts acquire speed, the hands acquire shaking, the shaking becomes
a warning, it is by caffeine alone I set my mind in motion.