man(7) -> mdoc(7).
This commit is contained in:
parent
a05c0d110e
commit
3fb152c523
@ -1,63 +1,91 @@
|
||||
.ll 6i
|
||||
.pl 10.5i
|
||||
.\" @(#)skey.1 1.1 10/28/93
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.lt 6.0i
|
||||
.TH KEY 1 "28 October 1993"
|
||||
.AT 3
|
||||
.SH NAME
|
||||
S/key \- A procedure to use one time passwords for accessing computer systems.
|
||||
.SH DESCRIPTION
|
||||
.I S/key
|
||||
.Dd October 28, 1993
|
||||
.Dt KEY 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm S/key
|
||||
.Nd "A procedure to use one time passwords for accessing computer systems"
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a procedure for using one time password to authenticate access to
|
||||
computer systems.
|
||||
It uses 64 bits of information transformed by the
|
||||
MD4 algorithm.
|
||||
The user supplies the 64 bits in the form of 6 English
|
||||
words that are generated by a secure computer.
|
||||
Example use of the S/key program
|
||||
.I key
|
||||
.sp
|
||||
Usage example:
|
||||
.sp 0
|
||||
>key 99 th91334
|
||||
.sp 0
|
||||
Enter password: <your secret password is entered here>
|
||||
.sp 0
|
||||
OMEN US HORN OMIT BACK AHOY
|
||||
.sp 0
|
||||
>
|
||||
.sp
|
||||
The programs that are part of the S/Key system are keyinit, key, and
|
||||
keyinfo.
|
||||
Keyinit is used to get your ID set up, key is
|
||||
Example use of the
|
||||
.Nm
|
||||
program
|
||||
.Nm key :
|
||||
.Bd -literal -offset indent
|
||||
>key 99 th91334
|
||||
Enter password: <your secret password is entered here>
|
||||
OMEN US HORN OMIT BACK AHOY
|
||||
>
|
||||
.Ed
|
||||
.Pp
|
||||
The programs that are part of the
|
||||
.Nm
|
||||
system are
|
||||
.Nm keyinit , key ,
|
||||
and
|
||||
.Nm keyinfo .
|
||||
.Nm Keyinit
|
||||
is used to get your ID set up,
|
||||
.Nm key
|
||||
is
|
||||
used to get the one time password each time,
|
||||
keyinfo is used to extract information from the S/Key database.
|
||||
.sp
|
||||
When you run "keyinit" you inform the system of your
|
||||
secret password. Running "key" then generates the
|
||||
.Nm keyinfo
|
||||
is used to extract information from the
|
||||
.Nm
|
||||
database.
|
||||
.Pp
|
||||
When you run
|
||||
.Nm keyinit
|
||||
you inform the system of your
|
||||
secret password.
|
||||
Running
|
||||
.Nm key
|
||||
then generates the
|
||||
one-time passwords, and also requires your secret
|
||||
password. If however, you misspell your password
|
||||
while running "key", you will get a list of passwords
|
||||
password.
|
||||
If however, you misspell your password
|
||||
while running
|
||||
.Nm key ,
|
||||
you will get a list of passwords
|
||||
that will not work, and no indication about the problem.
|
||||
.sp
|
||||
Password sequence numbers count backward from 99. If you
|
||||
don't know this, the syntax for "key" will be confusing.
|
||||
.sp
|
||||
.Pp
|
||||
Password sequence numbers count backward from 99.
|
||||
If you don't know this, the syntax for
|
||||
.Nm key
|
||||
will be confusing.
|
||||
.Pp
|
||||
You can enter the passwords using small letters, even
|
||||
though the "key" program gives them in caps.
|
||||
.sp
|
||||
Macintosh and a general purpose PC use
|
||||
are available.
|
||||
.sp
|
||||
Under FreeBSD, you can control, with /etc/skey.access, from which
|
||||
hosts and/or networks the use of S/Key passwords is obligated.
|
||||
.LP
|
||||
.SH SEE ALSO
|
||||
.BR keyinit(1),
|
||||
.BR key(1),
|
||||
.BR keyinfo(1)
|
||||
.BR skey.access(5)
|
||||
.SH AUTHOR
|
||||
Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
|
||||
though the
|
||||
.Nm key
|
||||
program gives them in caps.
|
||||
.Pp
|
||||
.Tn Macintosh
|
||||
and a general purpose
|
||||
.Tn PC
|
||||
use are available.
|
||||
.Pp
|
||||
Under
|
||||
.Fx ,
|
||||
you can control, with
|
||||
.Pa /etc/skey.access ,
|
||||
from which hosts and/or networks the use of
|
||||
.Nm
|
||||
passwords is obligated.
|
||||
.Sh SEE ALSO
|
||||
.Xr key 1 ,
|
||||
.Xr keyinfo 1 ,
|
||||
.Xr keyinit 1 ,
|
||||
.Xr skey.access 5
|
||||
.Sh AUTHORS
|
||||
.An Phil Karn
|
||||
.An Neil M. Haller
|
||||
.An John S. Walden
|
||||
.An Scott Chasin
|
||||
|
@ -1,142 +1,224 @@
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.TH SKEY.ACCESS 5
|
||||
.SH NAME
|
||||
skey.access \- S/Key password control table
|
||||
.SH DESCRIPTION
|
||||
The S/Key password control table (\fI/etc/skey.access\fR) is used by
|
||||
\fIlogin\fR-like programs to determine when UNIX passwords may be used
|
||||
.Dd January 12, 2001
|
||||
.Dt SKEY.ACCESS 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm skey.access
|
||||
.Nd "S/Key password control table"
|
||||
.Sh DESCRIPTION
|
||||
The S/Key password control table
|
||||
.Pq Pa /etc/skey.access
|
||||
is used by
|
||||
.Nm login Ns \-like
|
||||
programs to determine when
|
||||
.Ux
|
||||
passwords may be used
|
||||
to access the system.
|
||||
.IP \(bu
|
||||
When the table does not exist, there are no password restrictions. The
|
||||
user may enter the UNIX password or the S/Key one.
|
||||
.IP \(bu
|
||||
When the table does exist, UNIX passwords are permitted only when
|
||||
.Bl -bullet
|
||||
.It
|
||||
When the table does not exist, there are no password restrictions.
|
||||
The user may enter the
|
||||
.Ux
|
||||
password or the S/Key one.
|
||||
.It
|
||||
When the table does exist,
|
||||
.Ux
|
||||
passwords are permitted only when
|
||||
explicitly specified.
|
||||
.IP \(bu
|
||||
For the sake of sanity, UNIX passwords are always permitted on the
|
||||
.It
|
||||
For the sake of sanity,
|
||||
.Ux
|
||||
passwords are always permitted on the
|
||||
systems console.
|
||||
.SH "TABLE FORMAT"
|
||||
The format of the table is one rule per line. Rules are matched in
|
||||
order. The search terminates when the first matching rule is found, or
|
||||
.El
|
||||
.Sh TABLE FORMAT
|
||||
The format of the table is one rule per line.
|
||||
Rules are matched in order.
|
||||
The search terminates when the first matching rule is found, or
|
||||
when the end of the table is reached.
|
||||
.PP
|
||||
.Pp
|
||||
Rules have the form:
|
||||
.sp
|
||||
.in +5
|
||||
permit condition condition...
|
||||
.br
|
||||
deny condition condition...
|
||||
.in
|
||||
.PP
|
||||
.Pp
|
||||
.Bl -item -offset indent -compact
|
||||
.It
|
||||
.Ic permit
|
||||
.Ar condition condition ...
|
||||
.It
|
||||
.Ic deny
|
||||
.Ar condition condition ...
|
||||
.El
|
||||
.Pp
|
||||
where
|
||||
.I permit
|
||||
.Ic permit
|
||||
and
|
||||
.I deny
|
||||
may be followed by zero or more conditions.
|
||||
Comments begin with a `#\'
|
||||
character, and extend through the end of the line. Empty lines or
|
||||
.Ic deny
|
||||
may be followed by zero or more
|
||||
.Ar conditions .
|
||||
Comments begin with a
|
||||
.Ql #
|
||||
character, and extend through the end of the line.
|
||||
Empty lines or
|
||||
lines with only comments are ignored.
|
||||
.PP
|
||||
.Pp
|
||||
A rule is matched when all conditions are satisfied.
|
||||
A rule without
|
||||
conditions is always satisfied.
|
||||
For example, the last entry could
|
||||
be a line with just the word
|
||||
.I deny
|
||||
.Ic deny
|
||||
on it.
|
||||
.SH CONDITIONS
|
||||
.IP "hostname wzv.win.tue.nl"
|
||||
True when the login comes from host wzv.win.tue.nl.
|
||||
See the WARNINGS section below.
|
||||
.IP "internet 131.155.210.0 255.255.255.0"
|
||||
.Sh CONDITIONS
|
||||
.Bl -tag -width indent
|
||||
.It Ic hostname Ar wzv.win.tue.nl
|
||||
True when the login comes from host
|
||||
.Ar wzv.win.tue.nl .
|
||||
See the
|
||||
.Sx WARNINGS
|
||||
section below.
|
||||
.It Ic internet Ar 131.155.210.0 255.255.255.0
|
||||
True when the remote host has an internet address in network
|
||||
131.155.210. The general form of a net/mask rule is:
|
||||
.sp
|
||||
.ti +5
|
||||
internet net mask
|
||||
.sp
|
||||
.Ar 131.155.210 .
|
||||
The general form of a net/mask rule is:
|
||||
.Pp
|
||||
.D1 Ic internet Ar net mask
|
||||
.Pp
|
||||
The expression is true when the host has an internet address for which
|
||||
the bitwise and of
|
||||
.I address
|
||||
.Ar address
|
||||
and
|
||||
.I mask
|
||||
.Ar mask
|
||||
equals
|
||||
.IR net.
|
||||
See the WARNINGS section below.
|
||||
.IP "port ttya"
|
||||
.Ar net .
|
||||
See the
|
||||
.Sx WARNINGS
|
||||
section below.
|
||||
.It Ic port Ar ttya
|
||||
True when the login terminal is equal to
|
||||
.IR /dev/ttya .
|
||||
Remember that UNIX passwords are always permitted with logins on the
|
||||
.Pa /dev/ttya .
|
||||
Remember that
|
||||
.Ux
|
||||
passwords are always permitted with logins on the
|
||||
system console.
|
||||
.IP "user uucp"
|
||||
.It Ic user Ar uucp
|
||||
True when the user attempts to log in as
|
||||
.IR uucp .
|
||||
.IP "group wheel"
|
||||
.Ar uucp .
|
||||
.It Ic group Ar wheel
|
||||
True when the user attempts to log in as a member of the
|
||||
.I wheel
|
||||
.Ar wheel
|
||||
group.
|
||||
.SH COMPATIBILITY
|
||||
.El
|
||||
.Sh COMPATIBILITY
|
||||
For the sake of backwards compatibility, the
|
||||
.I internet
|
||||
.Ic internet
|
||||
keyword may be omitted from net/mask patterns.
|
||||
.SH WARNINGS
|
||||
When the S/Key control table (\fI/etc/skey.access\fR)
|
||||
.Sh WARNINGS
|
||||
When the S/Key control table
|
||||
.Pq Pa /etc/skey.access
|
||||
exists, users without S/Key passwords will be able to login only
|
||||
where its rules allow the use of UNIX passwords. In particular, this
|
||||
means that an invocation of \fIlogin(1)\fR in a pseudo-tty (e.g. from
|
||||
within \fIxterm(1)\fR or \fIscreen(1)\fR) will be treated as a login
|
||||
where its rules allow the use of
|
||||
.Ux
|
||||
passwords.
|
||||
In particular, this
|
||||
means that an invocation of
|
||||
.Xr login 1
|
||||
in a pseudo-tty (e.g. from
|
||||
within
|
||||
.Xr xterm 1
|
||||
or
|
||||
.Xr screen 1
|
||||
will be treated as a login
|
||||
that is neither from the console nor from the network, mandating the use
|
||||
of an S/Key password. Such an invocation of \fIlogin(1)\fR will necessarily
|
||||
of an S/Key password.
|
||||
Such an invocation of
|
||||
.Xr login 1
|
||||
will necessarily
|
||||
fail for those users who do not have an S/Key password.
|
||||
.PP
|
||||
.Pp
|
||||
Several rule types depend on host name or address information obtained
|
||||
through the network. What follows is a list of conceivable attacks to
|
||||
force the system to permit UNIX passwords.
|
||||
.IP "Host address spoofing (source routing)"
|
||||
through the network.
|
||||
What follows is a list of conceivable attacks to force the system to permit
|
||||
.Ux
|
||||
passwords.
|
||||
.Ss "Host address spoofing (source routing)"
|
||||
An intruder configures a local interface to an address in a trusted
|
||||
network and connects to the victim using that source address. Given
|
||||
network and connects to the victim using that source address.
|
||||
Given
|
||||
the wrong client address, the victim draws the wrong conclusion from
|
||||
rules based on host addresses or from rules based on host names derived
|
||||
from addresses.
|
||||
.sp
|
||||
Remedies: (1) do not permit UNIX passwords with network logins; (2)
|
||||
use network software that discards source routing information (e.g.
|
||||
.Pp
|
||||
Remedies:
|
||||
.Bl -enum
|
||||
.It
|
||||
do not permit
|
||||
.Ux
|
||||
passwords with network logins;
|
||||
.It
|
||||
use network software that discards source routing information (e.g.\&
|
||||
a tcp wrapper).
|
||||
.PP
|
||||
.El
|
||||
.Pp
|
||||
Almost every network server must look up the client host name using the
|
||||
client network address.
|
||||
The next obvious attack therefore is:
|
||||
.IP "Host name spoofing (bad PTR record)"
|
||||
.Ss "Host name spoofing (bad PTR record)"
|
||||
An intruder manipulates the name server system so that the client
|
||||
network address resolves to the name of a trusted host. Given the
|
||||
network address resolves to the name of a trusted host.
|
||||
Given the
|
||||
wrong host name, the victim draws the wrong conclusion from rules based
|
||||
on host names, or from rules based on addresses derived from host
|
||||
names.
|
||||
.sp
|
||||
Remedies: (1) do not permit UNIX passwords with network logins; (2) use
|
||||
.Pp
|
||||
Remedies:
|
||||
.Bl -enum
|
||||
.It
|
||||
do not permit
|
||||
.Ux
|
||||
passwords with network logins;
|
||||
.It
|
||||
use
|
||||
network software that verifies that the hostname resolves to the client
|
||||
network address (e.g. a tcp wrapper).
|
||||
.PP
|
||||
Some applications, such as the UNIX login program, must look up the
|
||||
.El
|
||||
.Pp
|
||||
Some applications, such as the
|
||||
.Ux
|
||||
.Xr login 1
|
||||
program, must look up the
|
||||
client network address using the client host name.
|
||||
In addition to the
|
||||
previous two attacks, this opens up yet another possibility:
|
||||
.IP "Host address spoofing (extra A record)"
|
||||
.Ss "Host address spoofing (extra A record)"
|
||||
An intruder manipulates the name server system so that the client host
|
||||
name (also) resolves to a trusted address.
|
||||
.sp
|
||||
Remedies: (1) do not permit UNIX passwords with network logins; (2)
|
||||
the skeyaccess() routines ignore network addresses that appear to
|
||||
.Pp
|
||||
Remedies:
|
||||
.Bl -enum
|
||||
.It
|
||||
do not permit
|
||||
.Ux
|
||||
passwords with network logins;
|
||||
.It
|
||||
the
|
||||
.Fn skeyaccess
|
||||
routines ignore network addresses that appear to
|
||||
belong to someone else.
|
||||
.SH DIAGNOSTICS
|
||||
Syntax errors are reported to the syslogd.
|
||||
.El
|
||||
.Sh DIAGNOSTICS
|
||||
Syntax errors are reported to the
|
||||
.Xr syslogd 8 .
|
||||
When an error is found
|
||||
the rule is skipped.
|
||||
.SH FILES
|
||||
/etc/skey.access, password control table
|
||||
.SH AUTHOR
|
||||
.nf
|
||||
Wietse Venema
|
||||
Eindhoven University of Technology
|
||||
The Netherlands
|
||||
.Sh FILES
|
||||
.Bl -tag -width /etc/skey.access
|
||||
.It Pa /etc/skey.access
|
||||
password control table
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr login 1 ,
|
||||
.Xr syslogd 8
|
||||
.Sh AUTHORS
|
||||
.An Wietse Venema ,
|
||||
Eindhoven University of Technology,
|
||||
The Netherlands.
|
||||
|
Loading…
Reference in New Issue
Block a user