diff options
Diffstat (limited to 'lib/libskey/skey.access.5')
-rw-r--r-- | lib/libskey/skey.access.5 | 47 |
1 files changed, 43 insertions, 4 deletions
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5 index e92b4a66c3b6..2e12ad11935b 100644 --- a/lib/libskey/skey.access.5 +++ b/lib/libskey/skey.access.5 @@ -2,10 +2,9 @@ .SH NAME skey.access \- S/Key password control table .SH DESCRIPTION -The S/Key password control table (default -.IR /etc/skey.access ) -is used by \fIlogin\fR-like programs to determine when UNIX passwords -may be used to access the system. +The S/Key password control table (\fI/etc/skey.access\fR) is used by +\fIlogin\fR-like programs to determine when UNIX passwords may be used +to access the system. .IP \(bu When the table does not exist, there are no password restrictions. The user may enter the UNIX password or the S/Key one. @@ -44,6 +43,7 @@ on it. .SH CONDITIONS .IP "hostname wzv.win.tue.nl" True when the login comes from host wzv.win.tue.nl. +See the WARNINGS section below. .IP "internet 131.155.210.0 255.255.255.0" True when the remote host has an internet address in network 131.155.210. The general form of a net/mask rule is: @@ -58,6 +58,7 @@ and .I mask equals .IR net. +See the WARNINGS section below. .IP "port ttya" True when the login terminal is equal to .IR /dev/ttya . @@ -74,6 +75,44 @@ group. For the sake of backwards compatibility, the .I internet keyword may be omitted from net/mask patterns. +.SH WARNINGS +Several rule types depend on host name or address information obtained +through the network. What follows is a list of conceivable attacks to +force the system to permit UNIX passwords. +.IP "Host address spoofing (source routing)" +An intruder configures a local interface to an address in a trusted +network and connects to the victim using that source address. Given +the wrong client address, the victim draws the wrong conclusion from +rules based on host addresses or from rules based on host names derived +from addresses. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) +use network software that discards source routing information (e.g. +a tcp wrapper). +.PP +Almost every network server must look up the client host name using the +client network address. The next obvious attack therefore is: +.IP "Host name spoofing (bad PTR record)" +An intruder manipulates the name server system so that the client +network address resolves to the name of a trusted host. Given the +wrong host name, the victim draws the wrong conclusion from rules based +on host names, or from rules based on addresses derived from host +names. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) use +network software that verifies that the hostname resolves to the client +network address (e.g. a tcp wrapper). +.PP +Some applications, such as the UNIX login program, must look up the +client network address using the client host name. In addition to the +previous two attacks, this opens up yet another possibility: +.IP "Host address spoofing (extra A record)" +An intruder manipulates the name server system so that the client host +name (also) resolves to a trusted address. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) +the skeyaccess() routines ignore network addresses that appear to +belong to someone else. .SH DIAGNOSTICS Syntax errors are reported to the syslogd. When an error is found the rule is skipped. |