blob: e92b4a66c3b661ddc8801e479e23dd98b55e924c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
.TH SKEY.ACCESS 5
.SH NAME
skey.access \- S/Key password control table
.SH DESCRIPTION
The S/Key password control table (default
.IR /etc/skey.access )
is used by \fIlogin\fR-like programs to determine when UNIX passwords
may be used to access the system.
.IP \(bu
When the table does not exist, there are no password restrictions. The
user may enter the UNIX password or the S/Key one.
.IP \(bu
When the table does exist, UNIX passwords are permitted only when
explicitly specified.
.IP \(bu
For the sake of sanity, UNIX passwords are always permitted on the
systems console.
.SH "TABLE FORMAT"
The format of the table is one rule per line. Rules are matched in
order. The search terminates when the first matching rule is found, or
when the end of the table is reached.
.PP
Rules have the form:
.sp
.in +5
permit condition condition...
.br
deny condition condition...
.in
.PP
where
.I permit
and
.I deny
may be followed by zero or more conditions. Comments begin with a `#\'
character, and extend through the end of the line. Empty lines or
lines with only comments are ignored.
.PP
A rule is matched when all conditions are satisfied. A rule without
conditions is always satisfied. For example, the last entry could
be a line with just the word
.I deny
on it.
.SH CONDITIONS
.IP "hostname wzv.win.tue.nl"
True when the login comes from host wzv.win.tue.nl.
.IP "internet 131.155.210.0 255.255.255.0"
True when the remote host has an internet address in network
131.155.210. The general form of a net/mask rule is:
.sp
.ti +5
internet net mask
.sp
The expression is true when the host has an internet address for which
the bitwise and of
.I address
and
.I mask
equals
.IR net.
.IP "port ttya"
True when the login terminal is equal to
.IR /dev/ttya .
Remember that UNIX passwords are always permitted with logins on the
system console.
.IP "user uucp"
True when the user attempts to log in as
.IR uucp .
.IP "group wheel"
True when the user attempts to log in as a member of the
.I wheel
group.
.SH COMPATIBILITY
For the sake of backwards compatibility, the
.I internet
keyword may be omitted from net/mask patterns.
.SH DIAGNOSTICS
Syntax errors are reported to the syslogd. When an error is found
the rule is skipped.
.SH FILES
/etc/skey.access, password control table
.SH AUTHOR
.nf
Wietse Venema
Eindhoven University of Technology
The Netherlands
|
