man(7) -> mdoc(7).

2 files changed, 248 insertions, 138 deletions

diff --git a/lib/libskey/skey.1 b/lib/libskey/skey.1
index 8ab4ac7..34cfb21 100644
--- a/lib/libskey/skey.1
+++ b/lib/libskey/skey.1
@@ -1,63 +1,91 @@
-.ll 6i
-.pl 10.5i
 .\"	@(#)skey.1	1.1 	10/28/93
 .\" $FreeBSD$
 .\"
-.lt 6.0i
-.TH KEY 1 "28 October 1993"
-.AT 3
-.SH NAME
-S/key \-  A procedure to use one time passwords for accessing computer systems.
-.SH DESCRIPTION
-.I S/key
+.Dd October 28, 1993
+.Dt KEY 1
+.Os
+.Sh NAME
+.Nm S/key
+.Nd "A procedure to use one time passwords for accessing computer systems"
+.Sh DESCRIPTION
+.Nm
 is a procedure for using one time password to authenticate access to
 computer systems.
 It uses 64 bits of information transformed by the
 MD4 algorithm.
 The user supplies the 64 bits in the form of 6 English
 words that are generated by a secure computer.
-Example use of the S/key program 
-.I key
-.sp
-  Usage example:
-.sp 0
- 	>key  99 th91334
-.sp 0
- 	Enter password: <your secret password is entered here>
-.sp 0
- 	OMEN US HORN OMIT BACK AHOY
-.sp 0
- 	>
-.sp
-The programs that are part of the S/Key system are keyinit, key, and
-keyinfo.
-Keyinit is used to get your ID set up, key is
+Example use of the
+.Nm
+program
+.Nm key :
+.Bd -literal -offset indent
+>key 99 th91334
+Enter password: <your secret password is entered here>
+OMEN US HORN OMIT BACK AHOY
+>
+.Ed
+.Pp
+The programs that are part of the
+.Nm
+system are
+.Nm keyinit , key ,
+and
+.Nm keyinfo .
+.Nm Keyinit
+is used to get your ID set up,
+.Nm key
+is
 used to get the one time password each time,
-keyinfo is used to extract information from the S/Key database.
-.sp
-When you run "keyinit" you inform the system of your
-secret password.  Running "key" then generates the
+.Nm keyinfo
+is used to extract information from the
+.Nm
+database.
+.Pp
+When you run
+.Nm keyinit
+you inform the system of your
+secret password.
+Running
+.Nm key
+then generates the
 one-time passwords, and also requires your secret
-password.  If however, you misspell your password
-while running "key", you will get a list of passwords
+password.
+If however, you misspell your password
+while running
+.Nm key ,
+you will get a list of passwords
 that will not work, and no indication about the problem.
-.sp
-Password sequence numbers count backward from 99.  If you
-don't know this, the syntax for "key" will be confusing.
-.sp
+.Pp
+Password sequence numbers count backward from 99.
+If you don't know this, the syntax for
+.Nm key
+will be confusing.
+.Pp
 You can enter the passwords using small letters, even
-though the "key" program gives them in caps.
-.sp
-Macintosh and a general purpose PC use
-are available. 
-.sp
-Under FreeBSD, you can control, with /etc/skey.access, from which
-hosts and/or networks the use of S/Key passwords is obligated. 
-.LP
-.SH SEE ALSO
-.BR keyinit(1),
-.BR key(1),
-.BR keyinfo(1)
-.BR skey.access(5)
-.SH AUTHOR
-Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
+though the
+.Nm key
+program gives them in caps.
+.Pp
+.Tn Macintosh
+and a general purpose
+.Tn PC
+use are available.
+.Pp
+Under
+.Fx ,
+you can control, with
+.Pa /etc/skey.access ,
+from which hosts and/or networks the use of
+.Nm
+passwords is obligated.
+.Sh SEE ALSO
+.Xr key 1 ,
+.Xr keyinfo 1 ,
+.Xr keyinit 1 ,
+.Xr skey.access 5
+.Sh AUTHORS
+.An Phil Karn
+.An Neil M. Haller
+.An John S. Walden
+.An Scott Chasin
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
index 400227e..e9586b5 100644
--- a/lib/libskey/skey.access.5
+++ b/lib/libskey/skey.access.5
@@ -1,142 +1,224 @@
 .\" $FreeBSD$
 .\"
-.TH SKEY.ACCESS 5
-.SH NAME
-skey.access \- S/Key password control table
-.SH DESCRIPTION
-The S/Key password control table (\fI/etc/skey.access\fR) is used by
-\fIlogin\fR-like programs to determine when UNIX passwords may be used
+.Dd January 12, 2001
+.Dt SKEY.ACCESS 5
+.Os
+.Sh NAME
+.Nm skey.access
+.Nd "S/Key password control table"
+.Sh DESCRIPTION
+The S/Key password control table
+.Pq Pa /etc/skey.access
+is used by
+.Nm login Ns \-like
+programs to determine when
+.Ux
+passwords may be used
 to access the system.
-.IP \(bu
-When the table does not exist, there are no password restrictions.  The
-user may enter the UNIX password or the S/Key one.
-.IP \(bu
-When the table does exist, UNIX passwords are permitted only when
+.Bl -bullet
+.It
+When the table does not exist, there are no password restrictions.
+The user may enter the
+.Ux
+password or the S/Key one.
+.It
+When the table does exist,
+.Ux
+passwords are permitted only when
 explicitly specified.
-.IP \(bu
-For the sake of sanity, UNIX passwords are always permitted on the
+.It
+For the sake of sanity,
+.Ux
+passwords are always permitted on the
 systems console.
-.SH "TABLE FORMAT"
-The format of the table is one rule per line.  Rules are matched in
-order.  The search terminates when the first matching rule is found, or
+.El
+.Sh TABLE FORMAT
+The format of the table is one rule per line.
+Rules are matched in order.
+The search terminates when the first matching rule is found, or
 when the end of the table is reached.
-.PP
+.Pp
 Rules have the form:
-.sp
-.in +5
-permit condition condition...
-.br
-deny condition condition...
-.in
-.PP
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Ic permit
+.Ar condition condition ...
+.It
+.Ic deny
+.Ar condition condition ...
+.El
+.Pp
 where
-.I permit
+.Ic permit
 and
-.I deny
-may be followed by zero or more conditions.
-Comments begin with a `#\'
-character, and extend through the end of the line.  Empty lines or
+.Ic deny
+may be followed by zero or more
+.Ar conditions .
+Comments begin with a
+.Ql #
+character, and extend through the end of the line.
+Empty lines or
 lines with only comments are ignored.
-.PP
+.Pp
 A rule is matched when all conditions are satisfied.
 A rule without
 conditions is always satisfied.
 For example, the last entry could
 be a line with just the word
-.I deny
+.Ic deny
 on it.
-.SH CONDITIONS
-.IP "hostname wzv.win.tue.nl"
-True when the login comes from host wzv.win.tue.nl.
-See the WARNINGS section below.
-.IP "internet 131.155.210.0 255.255.255.0"
+.Sh CONDITIONS
+.Bl -tag -width indent
+.It Ic hostname Ar wzv.win.tue.nl
+True when the login comes from host
+.Ar wzv.win.tue.nl .
+See the
+.Sx WARNINGS
+section below.
+.It Ic internet Ar 131.155.210.0 255.255.255.0
 True when the remote host has an internet address in network
-131.155.210.  The general form of a net/mask rule is:
-.sp
-.ti +5
-internet net mask
-.sp
+.Ar 131.155.210 .
+The general form of a net/mask rule is:
+.Pp
+.D1 Ic internet Ar net mask
+.Pp
 The expression is true when the host has an internet address for which
 the bitwise and of
-.I address
+.Ar address
 and
-.I mask
+.Ar mask
 equals
-.IR net.
-See the WARNINGS section below.
-.IP "port ttya"
+.Ar net .
+See the
+.Sx WARNINGS
+section below.
+.It Ic port Ar ttya
 True when the login terminal is equal to
-.IR /dev/ttya .
-Remember that UNIX passwords are always permitted with logins on the
+.Pa /dev/ttya .
+Remember that
+.Ux
+passwords are always permitted with logins on the
 system console.
-.IP "user uucp"
+.It Ic user Ar uucp
 True when the user attempts to log in as
-.IR uucp .
-.IP "group wheel"
+.Ar uucp .
+.It Ic group Ar wheel
 True when the user attempts to log in as a member of the
-.I wheel
+.Ar wheel
 group.
-.SH COMPATIBILITY
+.El
+.Sh COMPATIBILITY
 For the sake of backwards compatibility, the
-.I internet
+.Ic internet
 keyword may be omitted from net/mask patterns.
-.SH WARNINGS
-When the S/Key control table (\fI/etc/skey.access\fR)
+.Sh WARNINGS
+When the S/Key control table
+.Pq Pa /etc/skey.access
 exists, users without S/Key passwords will be able to login only
-where its rules allow the use of UNIX passwords.  In particular, this
-means that an invocation of \fIlogin(1)\fR in a pseudo-tty (e.g. from
-within \fIxterm(1)\fR or \fIscreen(1)\fR) will be treated as a login
+where its rules allow the use of
+.Ux
+passwords.
+In particular, this
+means that an invocation of
+.Xr login 1
+in a pseudo-tty (e.g. from
+within
+.Xr xterm 1
+or
+.Xr screen 1
+will be treated as a login
 that is neither from the console nor from the network, mandating the use
-of an S/Key password.  Such an invocation of \fIlogin(1)\fR will necessarily 
+of an S/Key password.
+Such an invocation of
+.Xr login 1
+will necessarily
 fail for those users who do not have an S/Key password.
-.PP
+.Pp
 Several rule types depend on host name or address information obtained
-through the network.  What follows is a list of conceivable attacks to
-force the system to permit UNIX passwords.
-.IP "Host address spoofing (source routing)"
+through the network.
+What follows is a list of conceivable attacks to force the system to permit
+.Ux
+passwords.
+.Ss "Host address spoofing (source routing)"
 An intruder configures a local interface to an address in a trusted
-network and connects to the victim using that source address.  Given
+network and connects to the victim using that source address.
+Given
 the wrong client address, the victim draws the wrong conclusion from
 rules based on host addresses or from rules based on host names derived
 from addresses.
-.sp
-Remedies: (1)  do not permit UNIX passwords with network logins; (2)
-use network software that discards source routing information (e.g.
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+use network software that discards source routing information (e.g.\&
 a tcp wrapper).
-.PP
+.El
+.Pp
 Almost every network server must look up the client host name using the
 client network address.
 The next obvious attack therefore is:
-.IP "Host name spoofing (bad PTR record)"
+.Ss "Host name spoofing (bad PTR record)"
 An intruder manipulates the name server system so that the client
-network address resolves to the name of a trusted host.  Given the
+network address resolves to the name of a trusted host.
+Given the
 wrong host name, the victim draws the wrong conclusion from rules based
 on host names, or from rules based on addresses derived from host
 names.
-.sp
-Remedies: (1) do not permit UNIX passwords with network logins; (2) use
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+use
 network software that verifies that the hostname resolves to the client
 network address (e.g. a tcp wrapper).
-.PP
-Some applications, such as the UNIX login program, must look up the
+.El
+.Pp
+Some applications, such as the
+.Ux
+.Xr login 1
+program, must look up the
 client network address using the client host name.
 In addition to the
 previous two attacks, this opens up yet another possibility:
-.IP "Host address spoofing (extra A record)"
+.Ss "Host address spoofing (extra A record)"
 An intruder manipulates the name server system so that the client host
 name (also) resolves to a trusted address.
-.sp
-Remedies: (1)  do not permit UNIX passwords with network logins; (2)
-the skeyaccess() routines ignore network addresses that appear to
+.Pp
+Remedies:
+.Bl -enum
+.It
+do not permit
+.Ux
+passwords with network logins;
+.It
+the
+.Fn skeyaccess
+routines ignore network addresses that appear to
 belong to someone else.
-.SH DIAGNOSTICS
-Syntax errors are reported to the syslogd.
+.El
+.Sh DIAGNOSTICS
+Syntax errors are reported to the
+.Xr syslogd 8 .
 When an error is found
 the rule is skipped.
-.SH FILES
-/etc/skey.access, password control table
-.SH AUTHOR
-.nf
-Wietse Venema
-Eindhoven University of Technology
-The Netherlands
+.Sh FILES
+.Bl -tag -width /etc/skey.access
+.It Pa /etc/skey.access
+password control table
+.El
+.Sh SEE ALSO
+.Xr login 1 ,
+.Xr syslogd 8
+.Sh AUTHORS
+.An Wietse Venema ,
+Eindhoven University of Technology,
+The Netherlands.