1 .\" $FreeBSD: src/lib/libskey/skey.access.5,v 1.5.2.1 2001/01/12 18:06:50 ru Exp $
2 .\" $DragonFly: src/lib/libskey/skey.access.5,v 1.2 2003/06/17 04:26:51 dillon Exp $
9 .Nd "S/Key password control table"
11 The S/Key password control table
12 .Pq Pa /etc/skey.access
15 programs to determine when
21 When the table does not exist, there are no password restrictions.
22 The user may enter the
24 password or the S/Key one.
26 When the table does exist,
28 passwords are permitted only when
31 For the sake of sanity,
33 passwords are always permitted on the
37 The format of the table is one rule per line.
38 Rules are matched in order.
39 The search terminates when the first matching rule is found, or
40 when the end of the table is reached.
44 .Bl -item -offset indent -compact
47 .Ar condition condition ...
50 .Ar condition condition ...
57 may be followed by zero or more
61 character, and extend through the end of the line.
63 lines with only comments are ignored.
65 A rule is matched when all conditions are satisfied.
67 conditions is always satisfied.
68 For example, the last entry could
69 be a line with just the word
73 .Bl -tag -width indent
74 .It Ic hostname Ar wzv.win.tue.nl
75 True when the login comes from host
80 .It Ic internet Ar 131.155.210.0 255.255.255.0
81 True when the remote host has an internet address in network
83 The general form of a net/mask rule is:
85 .D1 Ic internet Ar net mask
87 The expression is true when the host has an internet address for which
98 True when the login terminal is equal to
102 passwords are always permitted with logins on the
105 True when the user attempts to log in as
107 .It Ic group Ar wheel
108 True when the user attempts to log in as a member of the
113 For the sake of backwards compatibility, the
115 keyword may be omitted from net/mask patterns.
117 When the S/Key control table
118 .Pq Pa /etc/skey.access
119 exists, users without S/Key passwords will be able to login only
120 where its rules allow the use of
124 means that an invocation of
126 in a pseudo-tty (e.g. from
131 will be treated as a login
132 that is neither from the console nor from the network, mandating the use
133 of an S/Key password.
134 Such an invocation of
137 fail for those users who do not have an S/Key password.
139 Several rule types depend on host name or address information obtained
141 What follows is a list of conceivable attacks to force the system to permit
144 .Ss "Host address spoofing (source routing)"
145 An intruder configures a local interface to an address in a trusted
146 network and connects to the victim using that source address.
148 the wrong client address, the victim draws the wrong conclusion from
149 rules based on host addresses or from rules based on host names derived
157 passwords with network logins;
159 use network software that discards source routing information (e.g.\&
163 Almost every network server must look up the client host name using the
164 client network address.
165 The next obvious attack therefore is:
166 .Ss "Host name spoofing (bad PTR record)"
167 An intruder manipulates the name server system so that the client
168 network address resolves to the name of a trusted host.
170 wrong host name, the victim draws the wrong conclusion from rules based
171 on host names, or from rules based on addresses derived from host
179 passwords with network logins;
182 network software that verifies that the hostname resolves to the client
183 network address (e.g. a tcp wrapper).
186 Some applications, such as the
189 program, must look up the
190 client network address using the client host name.
192 previous two attacks, this opens up yet another possibility:
193 .Ss "Host address spoofing (extra A record)"
194 An intruder manipulates the name server system so that the client host
195 name (also) resolves to a trusted address.
202 passwords with network logins;
206 routines ignore network addresses that appear to
207 belong to someone else.
210 Syntax errors are reported to the
212 When an error is found
215 .Bl -tag -width /etc/skey.access
216 .It Pa /etc/skey.access
217 password control table
224 Eindhoven University of Technology,