From owner-freebsd-security  Fri May 22 01:14:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA03720
          for freebsd-security-outgoing; Fri, 22 May 1998 01:14:57 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03510
          for <freebsd-security@FreeBSD.ORG>; Fri, 22 May 1998 01:13:47 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id MAA17535; Fri, 22 May 1998 12:13:54 +0200
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA22054;
	Fri, 22 May 1998 10:38:04 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id KAA17390;
	Fri, 22 May 1998 10:12:15 +0200 (CEST)
Message-ID: <19980522101215.41390@deepo.prosa.dk>
Date: Fri, 22 May 1998 10:12:15 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Mike Smith <mike@smith.net.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: SKey and locked account
References: <19980521183148.07894@deepo.prosa.dk> <199805212338.QAA05467@antipodes.cdrom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 0.88e
In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>; from Mike Smith on Thu, May 21, 1998 at 04:38:30PM -0700
X-Operating-System: FreeBSD 2.2.5-STABLE i386
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Mike Smith writes:
> > I'm currently experimenting with 2.2.6, FWTK and skey.
> > 
> > 1) First thing I noticed is that it's possible for someone to log
> >    into the system, even if the account is disabled ('*' in the 
> >    passwd field), when S/Key is enabled for that user.  
> > 
> >    Surprise to me.
> 
> "*" does not disable an account - it is an invalid crypted string which 
> will fail to match any crypted plaintext password, as used by login, 
> the r* commands and ftp (when FTP is not using s/key).

	Ok -- just referrring to the man page:

	The password field is the encrypted form of the password.  If the
	password field is empty, no password will be required to gain access to
	the machine.  This is almost invariably a mistake.  Because these files
	contain the encrypted user passwords, they should not be readable by any-
	one without appropriate privileges.  Administrative accounts have a pass-
	word field containing an asterisk `*' which disallows normal logins. 

	... it doesn't mention the fact that they _also_ have an invalid
	shell.


-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
     «Pluto placed his bad dog at the entrance of Hades to keep the dead
      IN and the living  OUT!  The archetypical corporate firewall?»
                                                       - S. Kelly Bootle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message