diff options
author | ru <ru@FreeBSD.org> | 2001-01-12 18:01:17 +0000 |
---|---|---|
committer | ru <ru@FreeBSD.org> | 2001-01-12 18:01:17 +0000 |
commit | bc2ba25874677fabcaa2a759d324d6ab479e6192 (patch) | |
tree | 9b0e8fe353226a94163be01c819590a90f5307c9 /lib/libskey/skey.access.5 | |
parent | a8609c073f9f858a3ce5123dcda90d8ef1fd10f3 (diff) | |
download | FreeBSD-src-bc2ba25874677fabcaa2a759d324d6ab479e6192.zip FreeBSD-src-bc2ba25874677fabcaa2a759d324d6ab479e6192.tar.gz |
man(7) -> mdoc(7).
Diffstat (limited to 'lib/libskey/skey.access.5')
-rw-r--r-- | lib/libskey/skey.access.5 | 258 |
1 files changed, 170 insertions, 88 deletions
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5 index 400227e..e9586b5 100644 --- a/lib/libskey/skey.access.5 +++ b/lib/libskey/skey.access.5 @@ -1,142 +1,224 @@ .\" $FreeBSD$ .\" -.TH SKEY.ACCESS 5 -.SH NAME -skey.access \- S/Key password control table -.SH DESCRIPTION -The S/Key password control table (\fI/etc/skey.access\fR) is used by -\fIlogin\fR-like programs to determine when UNIX passwords may be used +.Dd January 12, 2001 +.Dt SKEY.ACCESS 5 +.Os +.Sh NAME +.Nm skey.access +.Nd "S/Key password control table" +.Sh DESCRIPTION +The S/Key password control table +.Pq Pa /etc/skey.access +is used by +.Nm login Ns \-like +programs to determine when +.Ux +passwords may be used to access the system. -.IP \(bu -When the table does not exist, there are no password restrictions. The -user may enter the UNIX password or the S/Key one. -.IP \(bu -When the table does exist, UNIX passwords are permitted only when +.Bl -bullet +.It +When the table does not exist, there are no password restrictions. +The user may enter the +.Ux +password or the S/Key one. +.It +When the table does exist, +.Ux +passwords are permitted only when explicitly specified. -.IP \(bu -For the sake of sanity, UNIX passwords are always permitted on the +.It +For the sake of sanity, +.Ux +passwords are always permitted on the systems console. -.SH "TABLE FORMAT" -The format of the table is one rule per line. Rules are matched in -order. The search terminates when the first matching rule is found, or +.El +.Sh TABLE FORMAT +The format of the table is one rule per line. +Rules are matched in order. +The search terminates when the first matching rule is found, or when the end of the table is reached. -.PP +.Pp Rules have the form: -.sp -.in +5 -permit condition condition... -.br -deny condition condition... -.in -.PP +.Pp +.Bl -item -offset indent -compact +.It +.Ic permit +.Ar condition condition ... +.It +.Ic deny +.Ar condition condition ... +.El +.Pp where -.I permit +.Ic permit and -.I deny -may be followed by zero or more conditions. -Comments begin with a `#\' -character, and extend through the end of the line. Empty lines or +.Ic deny +may be followed by zero or more +.Ar conditions . +Comments begin with a +.Ql # +character, and extend through the end of the line. +Empty lines or lines with only comments are ignored. -.PP +.Pp A rule is matched when all conditions are satisfied. A rule without conditions is always satisfied. For example, the last entry could be a line with just the word -.I deny +.Ic deny on it. -.SH CONDITIONS -.IP "hostname wzv.win.tue.nl" -True when the login comes from host wzv.win.tue.nl. -See the WARNINGS section below. -.IP "internet 131.155.210.0 255.255.255.0" +.Sh CONDITIONS +.Bl -tag -width indent +.It Ic hostname Ar wzv.win.tue.nl +True when the login comes from host +.Ar wzv.win.tue.nl . +See the +.Sx WARNINGS +section below. +.It Ic internet Ar 131.155.210.0 255.255.255.0 True when the remote host has an internet address in network -131.155.210. The general form of a net/mask rule is: -.sp -.ti +5 -internet net mask -.sp +.Ar 131.155.210 . +The general form of a net/mask rule is: +.Pp +.D1 Ic internet Ar net mask +.Pp The expression is true when the host has an internet address for which the bitwise and of -.I address +.Ar address and -.I mask +.Ar mask equals -.IR net. -See the WARNINGS section below. -.IP "port ttya" +.Ar net . +See the +.Sx WARNINGS +section below. +.It Ic port Ar ttya True when the login terminal is equal to -.IR /dev/ttya . -Remember that UNIX passwords are always permitted with logins on the +.Pa /dev/ttya . +Remember that +.Ux +passwords are always permitted with logins on the system console. -.IP "user uucp" +.It Ic user Ar uucp True when the user attempts to log in as -.IR uucp . -.IP "group wheel" +.Ar uucp . +.It Ic group Ar wheel True when the user attempts to log in as a member of the -.I wheel +.Ar wheel group. -.SH COMPATIBILITY +.El +.Sh COMPATIBILITY For the sake of backwards compatibility, the -.I internet +.Ic internet keyword may be omitted from net/mask patterns. -.SH WARNINGS -When the S/Key control table (\fI/etc/skey.access\fR) +.Sh WARNINGS +When the S/Key control table +.Pq Pa /etc/skey.access exists, users without S/Key passwords will be able to login only -where its rules allow the use of UNIX passwords. In particular, this -means that an invocation of \fIlogin(1)\fR in a pseudo-tty (e.g. from -within \fIxterm(1)\fR or \fIscreen(1)\fR) will be treated as a login +where its rules allow the use of +.Ux +passwords. +In particular, this +means that an invocation of +.Xr login 1 +in a pseudo-tty (e.g. from +within +.Xr xterm 1 +or +.Xr screen 1 +will be treated as a login that is neither from the console nor from the network, mandating the use -of an S/Key password. Such an invocation of \fIlogin(1)\fR will necessarily +of an S/Key password. +Such an invocation of +.Xr login 1 +will necessarily fail for those users who do not have an S/Key password. -.PP +.Pp Several rule types depend on host name or address information obtained -through the network. What follows is a list of conceivable attacks to -force the system to permit UNIX passwords. -.IP "Host address spoofing (source routing)" +through the network. +What follows is a list of conceivable attacks to force the system to permit +.Ux +passwords. +.Ss "Host address spoofing (source routing)" An intruder configures a local interface to an address in a trusted -network and connects to the victim using that source address. Given +network and connects to the victim using that source address. +Given the wrong client address, the victim draws the wrong conclusion from rules based on host addresses or from rules based on host names derived from addresses. -.sp -Remedies: (1) do not permit UNIX passwords with network logins; (2) -use network software that discards source routing information (e.g. +.Pp +Remedies: +.Bl -enum +.It +do not permit +.Ux +passwords with network logins; +.It +use network software that discards source routing information (e.g.\& a tcp wrapper). -.PP +.El +.Pp Almost every network server must look up the client host name using the client network address. The next obvious attack therefore is: -.IP "Host name spoofing (bad PTR record)" +.Ss "Host name spoofing (bad PTR record)" An intruder manipulates the name server system so that the client -network address resolves to the name of a trusted host. Given the +network address resolves to the name of a trusted host. +Given the wrong host name, the victim draws the wrong conclusion from rules based on host names, or from rules based on addresses derived from host names. -.sp -Remedies: (1) do not permit UNIX passwords with network logins; (2) use +.Pp +Remedies: +.Bl -enum +.It +do not permit +.Ux +passwords with network logins; +.It +use network software that verifies that the hostname resolves to the client network address (e.g. a tcp wrapper). -.PP -Some applications, such as the UNIX login program, must look up the +.El +.Pp +Some applications, such as the +.Ux +.Xr login 1 +program, must look up the client network address using the client host name. In addition to the previous two attacks, this opens up yet another possibility: -.IP "Host address spoofing (extra A record)" +.Ss "Host address spoofing (extra A record)" An intruder manipulates the name server system so that the client host name (also) resolves to a trusted address. -.sp -Remedies: (1) do not permit UNIX passwords with network logins; (2) -the skeyaccess() routines ignore network addresses that appear to +.Pp +Remedies: +.Bl -enum +.It +do not permit +.Ux +passwords with network logins; +.It +the +.Fn skeyaccess +routines ignore network addresses that appear to belong to someone else. -.SH DIAGNOSTICS -Syntax errors are reported to the syslogd. +.El +.Sh DIAGNOSTICS +Syntax errors are reported to the +.Xr syslogd 8 . When an error is found the rule is skipped. -.SH FILES -/etc/skey.access, password control table -.SH AUTHOR -.nf -Wietse Venema -Eindhoven University of Technology -The Netherlands +.Sh FILES +.Bl -tag -width /etc/skey.access +.It Pa /etc/skey.access +password control table +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr syslogd 8 +.Sh AUTHORS +.An Wietse Venema , +Eindhoven University of Technology, +The Netherlands. |