Add warning about interaction of S/Key and login(1) for users without S/Key

passwords attempting to invoke login(1) on a pty.

PR: 3289

1 files changed, 9 insertions, 0 deletions

diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
index 2e12ad1..9fff8f9 100644
--- a/lib/libskey/skey.access.5
+++ b/lib/libskey/skey.access.5
@@ -76,6 +76,15 @@ For the sake of backwards compatibility, the
 .I internet
 keyword may be omitted from net/mask patterns.
 .SH WARNINGS
+When the S/Key control table (\fI/etc/skey.access\fR)
+exists, users without S/Key passwords will be able to login only
+where its rules allow the use of UNIX passwords.  In particular, this
+means that an invocation of \fIlogin(1)\fR in a pseudo-tty (e.g. from
+within \fIxterm(1)\fR or \fIscreen(1)\fR) will be treated as a login
+that is neither from the console nor from the network, mandating the use
+of an S/Key password.  Such an invocation of \fIlogin(1)\fR will necessarily 
+fail for those users who do not have an S/Key password.
+.PP
 Several rule types depend on host name or address information obtained
 through the network.  What follows is a list of conceivable attacks to
 force the system to permit UNIX passwords.