skey.access

英語 [README] [login/README.WZV] [skey.access]
日本語 [login/README.WZV.j] [skey.access.j]
[logdaemon-5.6をNEWS OS4.xでコンパイルするためのパッチ] [戻る]

NAME
skey.access - S/Key password control table

DESCRIPTION
The S/Key password control table (/etc/skey.access) is  used
by  login-like programs to determine when UNIX passwords may
be used to access the system.

+    When the table does not exist, there  are  no  password
restrictions.   The user may enter the UNIX password or
the S/Key one.

+    When the table does exist, UNIX passwords are permitted
only when explicitly specified.

+    For the sake of sanity, UNIX passwords are always  per-
mitted on the systems console.

TABLE FORMAT
The format of the table is one rule  per  line.   Rules  are
matched  in  order.   The  search  terminates when the first
matching rule is found, or when the  end  of  the  table  is
reached.

Rules have the form:

permit condition condition...
deny condition condition...

where permit and deny may be followed by zero or more condi-
tions.  Comments  begin  with  a  `#'  character, and extend
through the end of the line.  Empty lines or lines with only
comments are ignored.

A rule is matched when all conditions are satisfied. A  rule
without  conditions  is  always  satisfied. For example, the
last entry could be a line with just the word deny on it.

CONDITIONS
hostname wzv.win.tue.nl
True when the login  comes  from  host  wzv.win.tue.nl.
See the WARNINGS section below.

internet 131.155.210.0 255.255.255.0
True when the remote host has an  internet  address  in
network  131.155.210.   The  general form of a net/mask
rule is:

internet net mask

The expression is true when the host  has  an  internet
address  for  which the bitwise and of address and mask



Sun Release 4.1           Last change:                          1






SKEY.ACCESS(5)            FILE FORMATS             SKEY.ACCESS(5)



equals net.  See the WARNINGS section below.

port ttya
True when the login terminal  is  equal  to  /dev/ttya.
Remember  that UNIX passwords are always permitted with
logins on the system console.

user uucp
True when the user attempts to log in as uucp.

group wheel
True when the user's primary group is  wheel,  or  when
the  user  is explicitly listed in the group file under
the wheel group.

COMPATIBILITY
For the sake of backwards compatibility, the  internet  key-
word may be omitted from net/mask patterns.

WARNINGS
Several rule types depend on host name or  address  informa-
tion  obtained  through the network.  What follows is a list
of conceivable attacks to force the system  to  permit  UNIX
passwords.

Host address spoofing (source routing)
An intruder configures a local interface to an  address
in  a  trusted network and connects to the victim using
that source address.  Given the wrong  client  address,
the  victim draws the wrong conclusion from rules based
on host addresses or from rules  based  on  host  names
derived from addresses.

Remedies: (1)  do not permit UNIX passwords  with  net-
work  logins;  (2)  use  network software that discards
source routing information (e.g.  a tcp wrapper).

Almost every network server must look  up  the  client  host
name  using  the  client  network  address. The next obvious
attack therefore is:

Host name spoofing (bad PTR record)
An intruder manipulates the name server system so  that
the  client  network  address resolves to the name of a
trusted host.  Given the wrong host  name,  the  victim
draws  the  wrong  conclusion  from rules based on host
names, or from rules based on  addresses  derived  from
host names.

Remedies: (1) do not permit UNIX passwords with network
logins; (2) use network software that verifies that the
hostname resolves to the client network address (e.g. a



Sun Release 4.1           Last change:                          2






SKEY.ACCESS(5)            FILE FORMATS             SKEY.ACCESS(5)



tcp wrapper).

Some applications, such as the UNIX login program, must look
up the client network address using the client host name. In
addition to the previous two  attacks,  this  opens  up  yet
another possibility:

Host address spoofing (extra A record)
An intruder manipulates the name server system so  that
the  client  host  name  (also)  resolves  to a trusted
address.

Remedies: (1)  do not permit UNIX passwords  with  net-
work  logins; (2) the skeyaccess() routines ignore net-
work addresses that appear to belong to someone else.

DIAGNOSTICS
Syntax errors are reported to the syslogd. When an error  is
found the rule is skipped.

FILES
/etc/skey.access, password control table

AUTHOR
Wietse Venema
Eindhoven University of Technology
The Netherlands