225 lines
5.0 KiB
Groff
225 lines
5.0 KiB
Groff
.\" $FreeBSD$
|
|
.\"
|
|
.Dd January 12, 2001
|
|
.Dt SKEY.ACCESS 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm skey.access
|
|
.Nd "S/Key password control table"
|
|
.Sh DESCRIPTION
|
|
The S/Key password control table
|
|
.Pq Pa /etc/skey.access
|
|
is used by
|
|
.Nm login Ns \-like
|
|
programs to determine when
|
|
.Ux
|
|
passwords may be used
|
|
to access the system.
|
|
.Bl -bullet
|
|
.It
|
|
When the table does not exist, there are no password restrictions.
|
|
The user may enter the
|
|
.Ux
|
|
password or the S/Key one.
|
|
.It
|
|
When the table does exist,
|
|
.Ux
|
|
passwords are permitted only when
|
|
explicitly specified.
|
|
.It
|
|
For the sake of sanity,
|
|
.Ux
|
|
passwords are always permitted on the
|
|
systems console.
|
|
.El
|
|
.Sh TABLE FORMAT
|
|
The format of the table is one rule per line.
|
|
Rules are matched in order.
|
|
The search terminates when the first matching rule is found, or
|
|
when the end of the table is reached.
|
|
.Pp
|
|
Rules have the form:
|
|
.Pp
|
|
.Bl -item -offset indent -compact
|
|
.It
|
|
.Ic permit
|
|
.Ar condition condition ...
|
|
.It
|
|
.Ic deny
|
|
.Ar condition condition ...
|
|
.El
|
|
.Pp
|
|
where
|
|
.Ic permit
|
|
and
|
|
.Ic deny
|
|
may be followed by zero or more
|
|
.Ar conditions .
|
|
Comments begin with a
|
|
.Ql #
|
|
character, and extend through the end of the line.
|
|
Empty lines or
|
|
lines with only comments are ignored.
|
|
.Pp
|
|
A rule is matched when all conditions are satisfied.
|
|
A rule without
|
|
conditions is always satisfied.
|
|
For example, the last entry could
|
|
be a line with just the word
|
|
.Ic deny
|
|
on it.
|
|
.Sh CONDITIONS
|
|
.Bl -tag -width indent
|
|
.It Ic hostname Ar wzv.win.tue.nl
|
|
True when the login comes from host
|
|
.Ar wzv.win.tue.nl .
|
|
See the
|
|
.Sx WARNINGS
|
|
section below.
|
|
.It Ic internet Ar 131.155.210.0 255.255.255.0
|
|
True when the remote host has an internet address in network
|
|
.Ar 131.155.210 .
|
|
The general form of a net/mask rule is:
|
|
.Pp
|
|
.D1 Ic internet Ar net mask
|
|
.Pp
|
|
The expression is true when the host has an internet address for which
|
|
the bitwise and of
|
|
.Ar address
|
|
and
|
|
.Ar mask
|
|
equals
|
|
.Ar net .
|
|
See the
|
|
.Sx WARNINGS
|
|
section below.
|
|
.It Ic port Ar ttya
|
|
True when the login terminal is equal to
|
|
.Pa /dev/ttya .
|
|
Remember that
|
|
.Ux
|
|
passwords are always permitted with logins on the
|
|
system console.
|
|
.It Ic user Ar uucp
|
|
True when the user attempts to log in as
|
|
.Ar uucp .
|
|
.It Ic group Ar wheel
|
|
True when the user attempts to log in as a member of the
|
|
.Ar wheel
|
|
group.
|
|
.El
|
|
.Sh COMPATIBILITY
|
|
For the sake of backwards compatibility, the
|
|
.Ic internet
|
|
keyword may be omitted from net/mask patterns.
|
|
.Sh WARNINGS
|
|
When the S/Key control table
|
|
.Pq Pa /etc/skey.access
|
|
exists, users without S/Key passwords will be able to login only
|
|
where its rules allow the use of
|
|
.Ux
|
|
passwords.
|
|
In particular, this
|
|
means that an invocation of
|
|
.Xr login 1
|
|
in a pseudo-tty (e.g. from
|
|
within
|
|
.Xr xterm 1
|
|
or
|
|
.Xr screen 1
|
|
will be treated as a login
|
|
that is neither from the console nor from the network, mandating the use
|
|
of an S/Key password.
|
|
Such an invocation of
|
|
.Xr login 1
|
|
will necessarily
|
|
fail for those users who do not have an S/Key password.
|
|
.Pp
|
|
Several rule types depend on host name or address information obtained
|
|
through the network.
|
|
What follows is a list of conceivable attacks to force the system to permit
|
|
.Ux
|
|
passwords.
|
|
.Ss "Host address spoofing (source routing)"
|
|
An intruder configures a local interface to an address in a trusted
|
|
network and connects to the victim using that source address.
|
|
Given
|
|
the wrong client address, the victim draws the wrong conclusion from
|
|
rules based on host addresses or from rules based on host names derived
|
|
from addresses.
|
|
.Pp
|
|
Remedies:
|
|
.Bl -enum
|
|
.It
|
|
do not permit
|
|
.Ux
|
|
passwords with network logins;
|
|
.It
|
|
use network software that discards source routing information (e.g.\&
|
|
a tcp wrapper).
|
|
.El
|
|
.Pp
|
|
Almost every network server must look up the client host name using the
|
|
client network address.
|
|
The next obvious attack therefore is:
|
|
.Ss "Host name spoofing (bad PTR record)"
|
|
An intruder manipulates the name server system so that the client
|
|
network address resolves to the name of a trusted host.
|
|
Given the
|
|
wrong host name, the victim draws the wrong conclusion from rules based
|
|
on host names, or from rules based on addresses derived from host
|
|
names.
|
|
.Pp
|
|
Remedies:
|
|
.Bl -enum
|
|
.It
|
|
do not permit
|
|
.Ux
|
|
passwords with network logins;
|
|
.It
|
|
use
|
|
network software that verifies that the hostname resolves to the client
|
|
network address (e.g. a tcp wrapper).
|
|
.El
|
|
.Pp
|
|
Some applications, such as the
|
|
.Ux
|
|
.Xr login 1
|
|
program, must look up the
|
|
client network address using the client host name.
|
|
In addition to the
|
|
previous two attacks, this opens up yet another possibility:
|
|
.Ss "Host address spoofing (extra A record)"
|
|
An intruder manipulates the name server system so that the client host
|
|
name (also) resolves to a trusted address.
|
|
.Pp
|
|
Remedies:
|
|
.Bl -enum
|
|
.It
|
|
do not permit
|
|
.Ux
|
|
passwords with network logins;
|
|
.It
|
|
the
|
|
.Fn skeyaccess
|
|
routines ignore network addresses that appear to
|
|
belong to someone else.
|
|
.El
|
|
.Sh DIAGNOSTICS
|
|
Syntax errors are reported to the
|
|
.Xr syslogd 8 .
|
|
When an error is found
|
|
the rule is skipped.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/skey.access
|
|
.It Pa /etc/skey.access
|
|
password control table
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr login 1 ,
|
|
.Xr syslogd 8
|
|
.Sh AUTHORS
|
|
.An Wietse Venema ,
|
|
Eindhoven University of Technology,
|
|
The Netherlands.
|