summaryrefslogtreecommitdiffstats
path: root/lib/libskey/skey.access.5
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libskey/skey.access.5')
-rw-r--r--lib/libskey/skey.access.547
1 files changed, 43 insertions, 4 deletions
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
index e92b4a6..2e12ad1 100644
--- a/lib/libskey/skey.access.5
+++ b/lib/libskey/skey.access.5
@@ -2,10 +2,9 @@
.SH NAME
skey.access \- S/Key password control table
.SH DESCRIPTION
-The S/Key password control table (default
-.IR /etc/skey.access )
-is used by \fIlogin\fR-like programs to determine when UNIX passwords
-may be used to access the system.
+The S/Key password control table (\fI/etc/skey.access\fR) is used by
+\fIlogin\fR-like programs to determine when UNIX passwords may be used
+to access the system.
.IP \(bu
When the table does not exist, there are no password restrictions. The
user may enter the UNIX password or the S/Key one.
@@ -44,6 +43,7 @@ on it.
.SH CONDITIONS
.IP "hostname wzv.win.tue.nl"
True when the login comes from host wzv.win.tue.nl.
+See the WARNINGS section below.
.IP "internet 131.155.210.0 255.255.255.0"
True when the remote host has an internet address in network
131.155.210. The general form of a net/mask rule is:
@@ -58,6 +58,7 @@ and
.I mask
equals
.IR net.
+See the WARNINGS section below.
.IP "port ttya"
True when the login terminal is equal to
.IR /dev/ttya .
@@ -74,6 +75,44 @@ group.
For the sake of backwards compatibility, the
.I internet
keyword may be omitted from net/mask patterns.
+.SH WARNINGS
+Several rule types depend on host name or address information obtained
+through the network. What follows is a list of conceivable attacks to
+force the system to permit UNIX passwords.
+.IP "Host address spoofing (source routing)"
+An intruder configures a local interface to an address in a trusted
+network and connects to the victim using that source address. Given
+the wrong client address, the victim draws the wrong conclusion from
+rules based on host addresses or from rules based on host names derived
+from addresses.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2)
+use network software that discards source routing information (e.g.
+a tcp wrapper).
+.PP
+Almost every network server must look up the client host name using the
+client network address. The next obvious attack therefore is:
+.IP "Host name spoofing (bad PTR record)"
+An intruder manipulates the name server system so that the client
+network address resolves to the name of a trusted host. Given the
+wrong host name, the victim draws the wrong conclusion from rules based
+on host names, or from rules based on addresses derived from host
+names.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2) use
+network software that verifies that the hostname resolves to the client
+network address (e.g. a tcp wrapper).
+.PP
+Some applications, such as the UNIX login program, must look up the
+client network address using the client host name. In addition to the
+previous two attacks, this opens up yet another possibility:
+.IP "Host address spoofing (extra A record)"
+An intruder manipulates the name server system so that the client host
+name (also) resolves to a trusted address.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2)
+the skeyaccess() routines ignore network addresses that appear to
+belong to someone else.
.SH DIAGNOSTICS
Syntax errors are reported to the syslogd. When an error is found
the rule is skipped.
OpenPOWER on IntegriCloud