summaryrefslogtreecommitdiffstats
path: root/lib/libskey/skey.access.5
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libskey/skey.access.5')
-rw-r--r--lib/libskey/skey.access.5224
1 files changed, 0 insertions, 224 deletions
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
deleted file mode 100644
index e9586b5..0000000
--- a/lib/libskey/skey.access.5
+++ /dev/null
@@ -1,224 +0,0 @@
-.\" $FreeBSD$
-.\"
-.Dd January 12, 2001
-.Dt SKEY.ACCESS 5
-.Os
-.Sh NAME
-.Nm skey.access
-.Nd "S/Key password control table"
-.Sh DESCRIPTION
-The S/Key password control table
-.Pq Pa /etc/skey.access
-is used by
-.Nm login Ns \-like
-programs to determine when
-.Ux
-passwords may be used
-to access the system.
-.Bl -bullet
-.It
-When the table does not exist, there are no password restrictions.
-The user may enter the
-.Ux
-password or the S/Key one.
-.It
-When the table does exist,
-.Ux
-passwords are permitted only when
-explicitly specified.
-.It
-For the sake of sanity,
-.Ux
-passwords are always permitted on the
-systems console.
-.El
-.Sh TABLE FORMAT
-The format of the table is one rule per line.
-Rules are matched in order.
-The search terminates when the first matching rule is found, or
-when the end of the table is reached.
-.Pp
-Rules have the form:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Ic permit
-.Ar condition condition ...
-.It
-.Ic deny
-.Ar condition condition ...
-.El
-.Pp
-where
-.Ic permit
-and
-.Ic deny
-may be followed by zero or more
-.Ar conditions .
-Comments begin with a
-.Ql #
-character, and extend through the end of the line.
-Empty lines or
-lines with only comments are ignored.
-.Pp
-A rule is matched when all conditions are satisfied.
-A rule without
-conditions is always satisfied.
-For example, the last entry could
-be a line with just the word
-.Ic deny
-on it.
-.Sh CONDITIONS
-.Bl -tag -width indent
-.It Ic hostname Ar wzv.win.tue.nl
-True when the login comes from host
-.Ar wzv.win.tue.nl .
-See the
-.Sx WARNINGS
-section below.
-.It Ic internet Ar 131.155.210.0 255.255.255.0
-True when the remote host has an internet address in network
-.Ar 131.155.210 .
-The general form of a net/mask rule is:
-.Pp
-.D1 Ic internet Ar net mask
-.Pp
-The expression is true when the host has an internet address for which
-the bitwise and of
-.Ar address
-and
-.Ar mask
-equals
-.Ar net .
-See the
-.Sx WARNINGS
-section below.
-.It Ic port Ar ttya
-True when the login terminal is equal to
-.Pa /dev/ttya .
-Remember that
-.Ux
-passwords are always permitted with logins on the
-system console.
-.It Ic user Ar uucp
-True when the user attempts to log in as
-.Ar uucp .
-.It Ic group Ar wheel
-True when the user attempts to log in as a member of the
-.Ar wheel
-group.
-.El
-.Sh COMPATIBILITY
-For the sake of backwards compatibility, the
-.Ic internet
-keyword may be omitted from net/mask patterns.
-.Sh WARNINGS
-When the S/Key control table
-.Pq Pa /etc/skey.access
-exists, users without S/Key passwords will be able to login only
-where its rules allow the use of
-.Ux
-passwords.
-In particular, this
-means that an invocation of
-.Xr login 1
-in a pseudo-tty (e.g. from
-within
-.Xr xterm 1
-or
-.Xr screen 1
-will be treated as a login
-that is neither from the console nor from the network, mandating the use
-of an S/Key password.
-Such an invocation of
-.Xr login 1
-will necessarily
-fail for those users who do not have an S/Key password.
-.Pp
-Several rule types depend on host name or address information obtained
-through the network.
-What follows is a list of conceivable attacks to force the system to permit
-.Ux
-passwords.
-.Ss "Host address spoofing (source routing)"
-An intruder configures a local interface to an address in a trusted
-network and connects to the victim using that source address.
-Given
-the wrong client address, the victim draws the wrong conclusion from
-rules based on host addresses or from rules based on host names derived
-from addresses.
-.Pp
-Remedies:
-.Bl -enum
-.It
-do not permit
-.Ux
-passwords with network logins;
-.It
-use network software that discards source routing information (e.g.\&
-a tcp wrapper).
-.El
-.Pp
-Almost every network server must look up the client host name using the
-client network address.
-The next obvious attack therefore is:
-.Ss "Host name spoofing (bad PTR record)"
-An intruder manipulates the name server system so that the client
-network address resolves to the name of a trusted host.
-Given the
-wrong host name, the victim draws the wrong conclusion from rules based
-on host names, or from rules based on addresses derived from host
-names.
-.Pp
-Remedies:
-.Bl -enum
-.It
-do not permit
-.Ux
-passwords with network logins;
-.It
-use
-network software that verifies that the hostname resolves to the client
-network address (e.g. a tcp wrapper).
-.El
-.Pp
-Some applications, such as the
-.Ux
-.Xr login 1
-program, must look up the
-client network address using the client host name.
-In addition to the
-previous two attacks, this opens up yet another possibility:
-.Ss "Host address spoofing (extra A record)"
-An intruder manipulates the name server system so that the client host
-name (also) resolves to a trusted address.
-.Pp
-Remedies:
-.Bl -enum
-.It
-do not permit
-.Ux
-passwords with network logins;
-.It
-the
-.Fn skeyaccess
-routines ignore network addresses that appear to
-belong to someone else.
-.El
-.Sh DIAGNOSTICS
-Syntax errors are reported to the
-.Xr syslogd 8 .
-When an error is found
-the rule is skipped.
-.Sh FILES
-.Bl -tag -width /etc/skey.access
-.It Pa /etc/skey.access
-password control table
-.El
-.Sh SEE ALSO
-.Xr login 1 ,
-.Xr syslogd 8
-.Sh AUTHORS
-.An Wietse Venema ,
-Eindhoven University of Technology,
-The Netherlands.
OpenPOWER on IntegriCloud