| blob | 7c8c3970101352bceecaf7a67256b5121ec8d7b2 |
1 .\" $FreeBSD: src/lib/libskey/skey.access.5,v 1.5.2.1 2001/01/12 18:06:50 ru Exp $
2 .\" $DragonFly: src/lib/libskey/skey.access.5,v 1.3 2006/02/17 19:35:07 swildner Exp $
3 .\"
4 .Dd January 12, 2001
5 .Dt SKEY.ACCESS 5
6 .Os
7 .Sh NAME
8 .Nm skey.access
9 .Nd "S/Key password control table"
10 .Sh DESCRIPTION
11 The S/Key password control table
12 .Pq Pa /etc/skey.access
13 is used by
14 .Nm login Ns \-like
15 programs to determine when
16 .Ux
17 passwords may be used
18 to access the system.
19 .Bl -bullet
20 .It
21 When the table does not exist, there are no password restrictions.
22 The user may enter the
23 .Ux
24 password or the S/Key one.
25 .It
26 When the table does exist,
27 .Ux
28 passwords are permitted only when
29 explicitly specified.
30 .It
31 For the sake of sanity,
32 .Ux
33 passwords are always permitted on the
34 systems console.
35 .El
36 .Sh TABLE FORMAT
37 The format of the table is one rule per line.
38 Rules are matched in order.
39 The search terminates when the first matching rule is found, or
40 when the end of the table is reached.
41 .Pp
42 Rules have the form:
43 .Pp
44 .Bl -item -offset indent -compact
45 .It
46 .Ic permit
47 .Ar condition condition ...
48 .It
49 .Ic deny
50 .Ar condition condition ...
51 .El
52 .Pp
53 where
54 .Ic permit
55 and
56 .Ic deny
57 may be followed by zero or more
58 .Ar conditions .
59 Comments begin with a
60 .Ql #
61 character, and extend through the end of the line.
62 Empty lines or
63 lines with only comments are ignored.
64 .Pp
65 A rule is matched when all conditions are satisfied.
66 A rule without
67 conditions is always satisfied.
68 For example, the last entry could
69 be a line with just the word
70 .Ic deny
71 on it.
72 .Sh CONDITIONS
73 .Bl -tag -width indent
74 .It Ic hostname Ar wzv.win.tue.nl
75 True when the login comes from host
76 .Ar wzv.win.tue.nl .
77 See the
78 .Sx WARNINGS
79 section below.
80 .It Ic internet Ar 131.155.210.0 255.255.255.0
81 True when the remote host has an internet address in network
82 .Ar 131.155.210 .
83 The general form of a net/mask rule is:
84 .Pp
85 .D1 Ic internet Ar net mask
86 .Pp
87 The expression is true when the host has an internet address for which
88 the bitwise and of
89 .Ar address
90 and
91 .Ar mask
92 equals
93 .Ar net .
94 See the
95 .Sx WARNINGS
96 section below.
97 .It Ic port Ar ttya
98 True when the login terminal is equal to
99 .Pa /dev/ttya .
100 Remember that
101 .Ux
102 passwords are always permitted with logins on the
103 system console.
104 .It Ic user Ar uucp
105 True when the user attempts to log in as
106 .Ar uucp .
107 .It Ic group Ar wheel
108 True when the user attempts to log in as a member of the
109 .Ar wheel
110 group.
111 .El
112 .Sh FILES
113 .Bl -tag -width /etc/skey.access
114 .It Pa /etc/skey.access
115 password control table
116 .El
117 .Sh DIAGNOSTICS
118 Syntax errors are reported to the
119 .Xr syslogd 8 .
120 When an error is found
121 the rule is skipped.
122 .Sh COMPATIBILITY
123 For the sake of backwards compatibility, the
124 .Ic internet
125 keyword may be omitted from net/mask patterns.
126 .Sh WARNINGS
127 When the S/Key control table
128 .Pq Pa /etc/skey.access
129 exists, users without S/Key passwords will be able to login only
130 where its rules allow the use of
131 .Ux
132 passwords.
133 In particular, this
134 means that an invocation of
135 .Xr login 1
136 in a pseudo-tty (e.g. from
137 within
138 .Xr xterm 1
139 or
140 .Xr screen 1
141 will be treated as a login
142 that is neither from the console nor from the network, mandating the use
143 of an S/Key password.
144 Such an invocation of
145 .Xr login 1
146 will necessarily
147 fail for those users who do not have an S/Key password.
148 .Pp
149 Several rule types depend on host name or address information obtained
150 through the network.
151 What follows is a list of conceivable attacks to force the system to permit
152 .Ux
153 passwords.
154 .Ss "Host address spoofing (source routing)"
155 An intruder configures a local interface to an address in a trusted
156 network and connects to the victim using that source address.
157 Given
158 the wrong client address, the victim draws the wrong conclusion from
159 rules based on host addresses or from rules based on host names derived
160 from addresses.
161 .Pp
162 Remedies:
163 .Bl -enum
164 .It
165 do not permit
166 .Ux
167 passwords with network logins;
168 .It
169 use network software that discards source routing information (e.g.\&
170 a tcp wrapper).
171 .El
172 .Pp
173 Almost every network server must look up the client host name using the
174 client network address.
175 The next obvious attack therefore is:
176 .Ss "Host name spoofing (bad PTR record)"
177 An intruder manipulates the name server system so that the client
178 network address resolves to the name of a trusted host.
179 Given the
180 wrong host name, the victim draws the wrong conclusion from rules based
181 on host names, or from rules based on addresses derived from host
182 names.
183 .Pp
184 Remedies:
185 .Bl -enum
186 .It
187 do not permit
188 .Ux
189 passwords with network logins;
190 .It
191 use
192 network software that verifies that the hostname resolves to the client
193 network address (e.g. a tcp wrapper).
194 .El
195 .Pp
196 Some applications, such as the
197 .Ux
198 .Xr login 1
199 program, must look up the
200 client network address using the client host name.
201 In addition to the
202 previous two attacks, this opens up yet another possibility:
203 .Ss "Host address spoofing (extra A record)"
204 An intruder manipulates the name server system so that the client host
205 name (also) resolves to a trusted address.
206 .Pp
207 Remedies:
208 .Bl -enum
209 .It
210 do not permit
211 .Ux
212 passwords with network logins;
213 .It
214 the
215 .Fn skeyaccess
216 routines ignore network addresses that appear to
217 belong to someone else.
218 .El
219 .Sh SEE ALSO
220 .Xr login 1 ,
221 .Xr syslogd 8
222 .Sh AUTHORS
223 .An Wietse Venema ,
224 Eindhoven University of Technology,
225 The Netherlands.