man(7) -> mdoc(7).

1 files changed, 170 insertions, 88 deletions

diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
index 400227e..e9586b5 100644
--- a/lib/libskey/skey.access.5
+++ b/lib/libskey/skey.access.5
@@ -1,142 +1,224 @@
 .\" $FreeBSD$
 .\"
-.TH SKEY.ACCESS 5
-.SH NAME
-skey.access \- S/Key password control table
-.SH DESCRIPTION
-The S/Key password control table (\fI/etc/skey.access\fR) is used by
-\fIlogin\fR-like programs to determine when UNIX passwords may be used
+.Dd January 12, 2001
+.Dt SKEY.ACCESS 5
+.Os
+.Sh NAME
+.Nm skey.access
+.Nd "S/Key password control table"
+.Sh DESCRIPTION
+The S/Key password control table
+.Pq Pa /etc/skey.access
+is used by
+.Nm login Ns \-like
+programs to determine when
+.Ux
+passwords may be used
 to access the system.
-.IP \(bu
-When the table does not exist, there are no password restrictions.  The
-user may enter the UNIX password or the S/Key one.
-.IP \(bu
-When the table does exist, UNIX passwords are permitted only when
+.Bl -bullet
+.It
+When the table does not exist, there are no password restrictions.
+The user may enter the
+.Ux
+password or the S/Key one.
+.It
+When the table does exist,
+.Ux
+passwords are permitted only when
 explicitly specified.
-.IP \(bu
-For the sake of sanity, UNIX passwords are always permitted on the
+.It
+For the sake of sanity,
+.Ux
+passwords are always permitted on the
 systems console.
-.SH "TABLE FORMAT"
-The format of the table is one rule per line.  Rules are matched in
-order.  The search terminates when the first matching rule is found, or
+.El
+.Sh TABLE FORMAT
+The format of the table is one rule per line.
+Rules are matched in order.
+The search terminates when the first matching rule is found, or
 when the end of the table is reached.
-.PP
+.Pp
 Rules have the form:
-.sp
-.in +5
-permit condition condition...
-.br
-deny condition condition...
-.in
-.PP
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Ic permit
+.Ar condition condition ...
+.It
+.Ic deny
+.Ar condition condition ...
+.El
+.Pp
 where
-.I permit
+.Ic permit
 and
-.I deny
-may be followed by zero or more conditions.
-Comments begin with a `#\'
-character, and extend through the end of the line.  Empty lines or
+.Ic deny
+may be followed by zero or more
+.Ar conditions .
+Comments begin with a
+.Ql #
+character, and extend through the end of the line.
+Empty lines or
 lines with only comments are ignored.
-.PP
+.Pp
 A rule is matched when all conditions are satisfied.
 A rule without
 conditions is always satisfied.
 For example, the last entry could
 be a line with just the word
-.I deny
+.Ic deny
 on it.
-.SH CONDITIONS
-.IP "hostname wzv.win.tue.nl"
-True when the login comes from host wzv.win.tue.nl.
-See the WARNINGS section below.
-.IP "internet 131.155.210.0 255.255.255.0"
+.Sh CONDITIONS
+.Bl -tag -width indent
+.It Ic hostname Ar wzv.win.tue.nl
+True when the login comes from host
+.Ar wzv.win.tue.nl .
+See the
+.Sx WARNINGS
+section below.
+.It Ic internet Ar 131.155.210.0 255.255.255.0
 True when the remote host has an internet address in network
-131.155.210.  The general form of a net/mask rule is:
-.sp
-.ti +5
-internet net mask
-.sp
+.Ar 131.155.210 .
+The general form of a net/mask rule is:
+.Pp
+.D1 Ic internet Ar net mask
+.Pp
 The expression is true when the host has an internet address for which
 the bitwise and of
-.I address
+.Ar address
 and
-.I mask
+.Ar mask
 equals
-.IR net.
-See the WARNINGS section below.
-.IP "port ttya"
+.Ar net .
+See the
+.Sx WARNINGS
+section below.
+.It Ic port Ar ttya
 True when the login terminal is equal to
-.IR /dev/ttya .
-Remember that UNIX passwords are always permitted with logins on the
+.Pa /dev/ttya .
+Remember that
+.Ux
+passwords are always permitted with logins on the
 system console.
-.IP "user uucp"
+.It Ic user Ar uucp
 True when the user attempts to log in as
-.IR uucp .
-.IP "group wheel"
+.Ar uucp .
+.It Ic group Ar wheel
 True when the user attempts to log in as a member of the
-.I wheel
+.Ar wheel
 group.
-.SH COMPATIBILITY
+.El
+.Sh COMPATIBILITY
 For the sake of backwards compatibility, the
-.I internet
+.Ic internet
 keyword may be omitted from net/mask patterns.
-.SH WARNINGS
-When the S/Key control table (\fI/etc/skey.access\fR)
+.Sh WARNINGS
+When the S/Key control table
+.Pq Pa /etc/skey.access
 exists, users without S/Key passwords will be able to login only
-where its rules allow the use of UNIX passwords.  In particular, this
-means that an invocation of \fIlogin(1)\fR in a pseudo-tty (e.g. from
-within \fIxterm(1)\fR or \fIscreen(1)\fR) will be treated as a login
+where its rules allow the use of
+.Ux
+passwords.
+In particular, this
+means that an invocation of
+.Xr login 1
+in a pseudo-tty (e.g. from
+within
+.Xr xterm 1
+or
+.Xr screen 1
+will be treated as a login
 that is neither from the console nor from the network, mandating the use
-of an S/Key password.  Such an invocation of \fIlogin(1)\fR will necessarily 
+of an S/Key password.
+Such an invocation of
+.Xr login 1
+will necessarily
 fail for those users who do not have an S/Key password.
-.PP
+.Pp
 Several rule types depend on host name or address information obtained
-through the network.  What follows is a list of conceivable attacks to
-force the system to permit UNIX passwords.
-.IP "Host address spoofing (source routing)"
+through the network.
+What follows is a list of conceivable attacks to force the system to permit
+.Ux
+passwords.
+.Ss "Host address spoofing (source routing)"
 An intruder configures a local interface to an address in a trusted
-network and connects to the victim using that source address.  Given
+network and connects to the victim using that source address.
+Given
 the wrong client address, the victim draws the wrong conclusion from
 rules based on host addresses or from rules based on host names derived
 from addresses.
-.sp
-Remedies: (1)  do not permit UNIX passwords with network logins; (2)
-use network software that discards source routing information (e.g.
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+use network software that discards source routing information (e.g.\&
 a tcp wrapper).
-.PP
+.El
+.Pp
 Almost every network server must look up the client host name using the
 client network address.
 The next obvious attack therefore is:
-.IP "Host name spoofing (bad PTR record)"
+.Ss "Host name spoofing (bad PTR record)"
 An intruder manipulates the name server system so that the client
-network address resolves to the name of a trusted host.  Given the
+network address resolves to the name of a trusted host.
+Given the
 wrong host name, the victim draws the wrong conclusion from rules based
 on host names, or from rules based on addresses derived from host
 names.
-.sp
-Remedies: (1) do not permit UNIX passwords with network logins; (2) use
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+use
 network software that verifies that the hostname resolves to the client
 network address (e.g. a tcp wrapper).
-.PP
-Some applications, such as the UNIX login program, must look up the
+.El
+.Pp
+Some applications, such as the
+.Ux
+.Xr login 1
+program, must look up the
 client network address using the client host name.
 In addition to the
 previous two attacks, this opens up yet another possibility:
-.IP "Host address spoofing (extra A record)"
+.Ss "Host address spoofing (extra A record)"
 An intruder manipulates the name server system so that the client host
 name (also) resolves to a trusted address.
-.sp
-Remedies: (1)  do not permit UNIX passwords with network logins; (2)
-the skeyaccess() routines ignore network addresses that appear to
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+the
+.Fn skeyaccess
+routines ignore network addresses that appear to
 belong to someone else.
-.SH DIAGNOSTICS
-Syntax errors are reported to the syslogd.
+.El
+.Sh DIAGNOSTICS
+Syntax errors are reported to the
+.Xr syslogd 8 .
 When an error is found
 the rule is skipped.
-.SH FILES
-/etc/skey.access, password control table
-.SH AUTHOR
-.nf
-Wietse Venema
-Eindhoven University of Technology
-The Netherlands
+.Sh FILES
+.Bl -tag -width /etc/skey.access
+.It Pa /etc/skey.access
+password control table
+.El
+.Sh SEE ALSO
+.Xr login 1 ,
+.Xr syslogd 8
+.Sh AUTHORS
+.An Wietse Venema ,
+Eindhoven University of Technology,
+The Netherlands.