1 .\" $FreeBSD: src/lib/libskey/skey.access.5,v 1.5.2.1 2001/01/12 18:06:50 ru Exp $
8 .Nd "S/Key password control table"
10 The S/Key password control table
11 .Pq Pa /etc/skey.access
14 programs to determine when
20 When the table does not exist, there are no password restrictions.
21 The user may enter the
23 password or the S/Key one.
25 When the table does exist,
27 passwords are permitted only when
30 For the sake of sanity,
32 passwords are always permitted on the
36 The format of the table is one rule per line.
37 Rules are matched in order.
38 The search terminates when the first matching rule is found, or
39 when the end of the table is reached.
43 .Bl -item -offset indent -compact
46 .Ar condition condition ...
49 .Ar condition condition ...
56 may be followed by zero or more
60 character, and extend through the end of the line.
62 lines with only comments are ignored.
64 A rule is matched when all conditions are satisfied.
66 conditions is always satisfied.
67 For example, the last entry could
68 be a line with just the word
72 .Bl -tag -width indent
73 .It Ic hostname Ar wzv.win.tue.nl
74 True when the login comes from host
79 .It Ic internet Ar 131.155.210.0 255.255.255.0
80 True when the remote host has an internet address in network
82 The general form of a net/mask rule is:
84 .D1 Ic internet Ar net mask
86 The expression is true when the host has an internet address for which
97 True when the login terminal is equal to
101 passwords are always permitted with logins on the
104 True when the user attempts to log in as
106 .It Ic group Ar wheel
107 True when the user attempts to log in as a member of the
112 For the sake of backwards compatibility, the
114 keyword may be omitted from net/mask patterns.
116 When the S/Key control table
117 .Pq Pa /etc/skey.access
118 exists, users without S/Key passwords will be able to login only
119 where its rules allow the use of
123 means that an invocation of
125 in a pseudo-tty (e.g. from
130 will be treated as a login
131 that is neither from the console nor from the network, mandating the use
132 of an S/Key password.
133 Such an invocation of
136 fail for those users who do not have an S/Key password.
138 Several rule types depend on host name or address information obtained
140 What follows is a list of conceivable attacks to force the system to permit
143 .Ss "Host address spoofing (source routing)"
144 An intruder configures a local interface to an address in a trusted
145 network and connects to the victim using that source address.
147 the wrong client address, the victim draws the wrong conclusion from
148 rules based on host addresses or from rules based on host names derived
156 passwords with network logins;
158 use network software that discards source routing information (e.g.\&
162 Almost every network server must look up the client host name using the
163 client network address.
164 The next obvious attack therefore is:
165 .Ss "Host name spoofing (bad PTR record)"
166 An intruder manipulates the name server system so that the client
167 network address resolves to the name of a trusted host.
169 wrong host name, the victim draws the wrong conclusion from rules based
170 on host names, or from rules based on addresses derived from host
178 passwords with network logins;
181 network software that verifies that the hostname resolves to the client
182 network address (e.g. a tcp wrapper).
185 Some applications, such as the
188 program, must look up the
189 client network address using the client host name.
191 previous two attacks, this opens up yet another possibility:
192 .Ss "Host address spoofing (extra A record)"
193 An intruder manipulates the name server system so that the client host
194 name (also) resolves to a trusted address.
201 passwords with network logins;
205 routines ignore network addresses that appear to
206 belong to someone else.
209 Syntax errors are reported to the
211 When an error is found
214 .Bl -tag -width /etc/skey.access
215 .It Pa /etc/skey.access
216 password control table
223 Eindhoven University of Technology,