Вызов команды MAN skey.access
Замечание: нажмите здесь, если получили пустую страницу.
SKEY.ACCESS(5) FreeBSD File Formats Manual SKEY.ACCESS(5)
NAME
skey.access -- S/Key password control table
DESCRIPTION
The S/Key password control table (/etc/skey.access) is used by login-like
programs to determine when UNIX passwords may be used to access the sys-
tem.
When the table does not exist, there are no password restrictions.
The user may enter the UNIX password or the S/Key one.
When the table does exist, UNIX passwords are permitted only when
explicitly specified.
For the sake of sanity, UNIX passwords are always permitted on the
systems console.
TABLE FORMAT
The format of the table is one rule per line. Rules are matched in
order. The search terminates when the first matching rule is found, or
when the end of the table is reached.
Rules have the form:
permit condition condition ...
deny condition condition ...
where permit and deny may be followed by zero or more conditions. Com-
ments begin with a `#' character, and extend through the end of the line.
Empty lines or lines with only comments are ignored.
A rule is matched when all conditions are satisfied. A rule without con-
ditions is always satisfied. For example, the last entry could be a line
with just the word deny on it.
CONDITIONS
hostname wzv.win.tue.nl
True when the login comes from host wzv.win.tue.nl. See the
WARNINGS section below.
internet 131.155.210.0 255.255.255.0
True when the remote host has an internet address in network
131.155.210. The general form of a net/mask rule is:
internet net mask
The expression is true when the host has an internet address for
which the bitwise and of address and mask equals net. See the
WARNINGS section below.
port ttya
True when the login terminal is equal to /dev/ttya. Remember
that UNIX passwords are always permitted with logins on the sys-
tem console.
user uucp
True when the user attempts to log in as uucp.
group wheel
True when the user attempts to log in as a member of the wheel
group.
COMPATIBILITY
For the sake of backwards compatibility, the internet keyword may be
omitted from net/mask patterns.
WARNINGS
When the S/Key control table (/etc/skey.access) exists, users without
S/Key passwords will be able to login only where its rules allow the use
of UNIX passwords. In particular, this means that an invocation of
login(1) in a pseudo-tty (e.g. from within xterm(1) or screen(1) will be
treated as a login that is neither from the console nor from the network,
mandating the use of an S/Key password. Such an invocation of login(1)
will necessarily fail for those users who do not have an S/Key password.
Several rule types depend on host name or address information obtained
through the network. What follows is a list of conceivable attacks to
force the system to permit UNIX passwords.
Host address spoofing (source routing)
An intruder configures a local interface to an address in a trusted net-
work and connects to the victim using that source address. Given the
wrong client address, the victim draws the wrong conclusion from rules
based on host addresses or from rules based on host names derived from
addresses.
Remedies:
1. do not permit UNIX passwords with network logins;
2. use network software that discards source routing information (e.g.
a tcp wrapper).
Almost every network server must look up the client host name using the
client network address. The next obvious attack therefore is:
Host name spoofing (bad PTR record)
An intruder manipulates the name server system so that the client network
address resolves to the name of a trusted host. Given the wrong host
name, the victim draws the wrong conclusion from rules based on host
names, or from rules based on addresses derived from host names.
Remedies:
1. do not permit UNIX passwords with network logins;
2. use network software that verifies that the hostname resolves to the
client network address (e.g. a tcp wrapper).
Some applications, such as the UNIX login(1) program, must look up the
client network address using the client host name. In addition to the
previous two attacks, this opens up yet another possibility:
Host address spoofing (extra A record)
An intruder manipulates the name server system so that the client host
name (also) resolves to a trusted address.
Remedies:
1. do not permit UNIX passwords with network logins;
2. the skeyaccess() routines ignore network addresses that appear to
belong to someone else.
DIAGNOSTICS
Syntax errors are reported to the syslogd(8). When an error is found the
rule is skipped.
FILES
/etc/skey.access password control table
SEE ALSO
login(1), syslogd(8)
AUTHORS
Wietse Venema, Eindhoven University of Technology, The Netherlands.
FreeBSD 4.9 January 12, 2001 FreeBSD 4.9
Федотов А.М.
Введение в Internet