freebsd-skq/lib/libskey/skey.access.5

225 lines
5.0 KiB
Groff
Raw Normal View History

.\" $FreeBSD$
.\"
2001-01-12 18:01:17 +00:00
.Dd January 12, 2001
.Dt SKEY.ACCESS 5
.Os
.Sh NAME
.Nm skey.access
.Nd "S/Key password control table"
.Sh DESCRIPTION
The S/Key password control table
.Pq Pa /etc/skey.access
is used by
.Nm login Ns \-like
programs to determine when
.Ux
passwords may be used
to access the system.
2001-01-12 18:01:17 +00:00
.Bl -bullet
.It
When the table does not exist, there are no password restrictions.
The user may enter the
.Ux
password or the S/Key one.
.It
When the table does exist,
.Ux
passwords are permitted only when
1994-09-29 18:58:39 +00:00
explicitly specified.
2001-01-12 18:01:17 +00:00
.It
For the sake of sanity,
.Ux
passwords are always permitted on the
1994-09-29 18:58:39 +00:00
systems console.
2001-01-12 18:01:17 +00:00
.El
.Sh TABLE FORMAT
The format of the table is one rule per line.
Rules are matched in order.
The search terminates when the first matching rule is found, or
1994-09-29 18:58:39 +00:00
when the end of the table is reached.
2001-01-12 18:01:17 +00:00
.Pp
1994-09-29 18:58:39 +00:00
Rules have the form:
2001-01-12 18:01:17 +00:00
.Pp
.Bl -item -offset indent -compact
.It
.Ic permit
.Ar condition condition ...
.It
.Ic deny
.Ar condition condition ...
.El
.Pp
1994-09-29 18:58:39 +00:00
where
2001-01-12 18:01:17 +00:00
.Ic permit
1994-09-29 18:58:39 +00:00
and
2001-01-12 18:01:17 +00:00
.Ic deny
may be followed by zero or more
.Ar conditions .
Comments begin with a
.Ql #
character, and extend through the end of the line.
Empty lines or
1994-09-29 18:58:39 +00:00
lines with only comments are ignored.
2001-01-12 18:01:17 +00:00
.Pp
A rule is matched when all conditions are satisfied.
A rule without
conditions is always satisfied.
For example, the last entry could
1994-09-29 18:58:39 +00:00
be a line with just the word
2001-01-12 18:01:17 +00:00
.Ic deny
1994-09-29 18:58:39 +00:00
on it.
2001-01-12 18:01:17 +00:00
.Sh CONDITIONS
.Bl -tag -width indent
.It Ic hostname Ar wzv.win.tue.nl
True when the login comes from host
.Ar wzv.win.tue.nl .
See the
.Sx WARNINGS
section below.
.It Ic internet Ar 131.155.210.0 255.255.255.0
1994-09-29 18:58:39 +00:00
True when the remote host has an internet address in network
2001-01-12 18:01:17 +00:00
.Ar 131.155.210 .
The general form of a net/mask rule is:
.Pp
.D1 Ic internet Ar net mask
.Pp
1994-09-29 18:58:39 +00:00
The expression is true when the host has an internet address for which
the bitwise and of
2001-01-12 18:01:17 +00:00
.Ar address
1994-09-29 18:58:39 +00:00
and
2001-01-12 18:01:17 +00:00
.Ar mask
1994-09-29 18:58:39 +00:00
equals
2001-01-12 18:01:17 +00:00
.Ar net .
See the
.Sx WARNINGS
section below.
.It Ic port Ar ttya
1994-09-29 18:58:39 +00:00
True when the login terminal is equal to
2001-01-12 18:01:17 +00:00
.Pa /dev/ttya .
Remember that
.Ux
passwords are always permitted with logins on the
1994-09-29 18:58:39 +00:00
system console.
2001-01-12 18:01:17 +00:00
.It Ic user Ar uucp
1994-09-29 18:58:39 +00:00
True when the user attempts to log in as
2001-01-12 18:01:17 +00:00
.Ar uucp .
.It Ic group Ar wheel
1994-09-29 18:58:39 +00:00
True when the user attempts to log in as a member of the
2001-01-12 18:01:17 +00:00
.Ar wheel
1994-09-29 18:58:39 +00:00
group.
2001-01-12 18:01:17 +00:00
.El
.Sh COMPATIBILITY
1994-09-29 18:58:39 +00:00
For the sake of backwards compatibility, the
2001-01-12 18:01:17 +00:00
.Ic internet
1994-09-29 18:58:39 +00:00
keyword may be omitted from net/mask patterns.
2001-01-12 18:01:17 +00:00
.Sh WARNINGS
When the S/Key control table
.Pq Pa /etc/skey.access
exists, users without S/Key passwords will be able to login only
2001-01-12 18:01:17 +00:00
where its rules allow the use of
.Ux
passwords.
In particular, this
means that an invocation of
.Xr login 1
in a pseudo-tty (e.g. from
within
.Xr xterm 1
or
.Xr screen 1
will be treated as a login
that is neither from the console nor from the network, mandating the use
2001-01-12 18:01:17 +00:00
of an S/Key password.
Such an invocation of
.Xr login 1
will necessarily
fail for those users who do not have an S/Key password.
2001-01-12 18:01:17 +00:00
.Pp
Several rule types depend on host name or address information obtained
2001-01-12 18:01:17 +00:00
through the network.
What follows is a list of conceivable attacks to force the system to permit
.Ux
passwords.
.Ss "Host address spoofing (source routing)"
An intruder configures a local interface to an address in a trusted
2001-01-12 18:01:17 +00:00
network and connects to the victim using that source address.
Given
the wrong client address, the victim draws the wrong conclusion from
rules based on host addresses or from rules based on host names derived
from addresses.
2001-01-12 18:01:17 +00:00
.Pp
Remedies:
.Bl -enum
.It
do not permit
.Ux
passwords with network logins;
.It
use network software that discards source routing information (e.g.\&
a tcp wrapper).
2001-01-12 18:01:17 +00:00
.El
.Pp
Almost every network server must look up the client host name using the
client network address.
The next obvious attack therefore is:
2001-01-12 18:01:17 +00:00
.Ss "Host name spoofing (bad PTR record)"
An intruder manipulates the name server system so that the client
2001-01-12 18:01:17 +00:00
network address resolves to the name of a trusted host.
Given the
wrong host name, the victim draws the wrong conclusion from rules based
on host names, or from rules based on addresses derived from host
names.
2001-01-12 18:01:17 +00:00
.Pp
Remedies:
.Bl -enum
.It
do not permit
.Ux
passwords with network logins;
.It
use
network software that verifies that the hostname resolves to the client
network address (e.g. a tcp wrapper).
2001-01-12 18:01:17 +00:00
.El
.Pp
Some applications, such as the
.Ux
.Xr login 1
program, must look up the
client network address using the client host name.
In addition to the
previous two attacks, this opens up yet another possibility:
2001-01-12 18:01:17 +00:00
.Ss "Host address spoofing (extra A record)"
An intruder manipulates the name server system so that the client host
name (also) resolves to a trusted address.
2001-01-12 18:01:17 +00:00
.Pp
Remedies:
.Bl -enum
.It
do not permit
.Ux
passwords with network logins;
.It
the
.Fn skeyaccess
routines ignore network addresses that appear to
belong to someone else.
2001-01-12 18:01:17 +00:00
.El
.Sh DIAGNOSTICS
Syntax errors are reported to the
.Xr syslogd 8 .
When an error is found
1994-09-29 18:58:39 +00:00
the rule is skipped.
2001-01-12 18:01:17 +00:00
.Sh FILES
.Bl -tag -width /etc/skey.access
.It Pa /etc/skey.access
password control table
.El
.Sh SEE ALSO
.Xr login 1 ,
.Xr syslogd 8
.Sh AUTHORS
.An Wietse Venema ,
Eindhoven University of Technology,
The Netherlands.