Date: Wed, 12 Apr 1995 11:20:07 -0700 From: Paul Traina <pst@Shockwave.COM> To: freebsd-bugs Subject: bin/339: kerberos violates s/key interaction rules Message-ID: <199504121820.LAA19585@freefall.cdrom.com> In-Reply-To: Your message of Wed, 12 Apr 1995 11:14:08 -0700 <199504121814.LAA24399@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>Number: 339 >Category: bin >Synopsis: users may enter kerberos password at login prompt >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs (FreeBSD bugs mailing list) >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 12 11:20:04 1995 >Originator: Paul Traina >Organization: Shockwave Engineering >Release: FreeBSD 2.1.0-Development i386 >Environment: FreeBSD with eBones made and installed, s/key enabled for a user, kerberos tickets available for a user. >Description: There's a disconnect between kerberos and s/key access rules. If I restrict password logins using /etc/skey.access in order to force users to use one-time passwords (or a kerberos ticket), if Kerberos is enabled, a user may enter their kerberos password at the login prompt to gain access to the system. The whole point of /etc/skey.access is to stop people from entering passwords over the net, so the /etc/skey.access system should apply to locally entered kerberos tickets at the login prompt as well. >How-To-Repeat: pst@precipice$ rlogin -K remote-host s/key 98 qu08742 (s/key required) Password: <enter your kerberos password here> Last login: Wed Apr 12 10:54:44 from precipice Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 2.1.0-Development (QUEMADURA) #0: Tue Apr 11 11:54:26 PDT 1995 Welcome to FreeBSD! >Fix: This isn't totally trivial, because you want to allow kerberos athentication to occur if a remote kerberos ticket has been validated. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504121820.LAA19585>