From owner-freebsd-security  Sat May 23 06:48:12 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA27476
          for freebsd-security-outgoing; Sat, 23 May 1998 06:48:12 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27467
          for <freebsd-security@freebsd.org>; Sat, 23 May 1998 06:48:07 -0700 (PDT)
          (envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id GAA18535; Sat, 23 May 1998 06:47:53 -0700 (PDT)
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by passer.osg.gov.bc.ca, id smtpdaasnoa; Sat May 23 06:47:51 1998
Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id GAA12539; Sat, 23 May 1998 06:35:04 -0700 (PDT)
Message-Id: <199805231335.GAA12539@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdd12528; Sat May 23 06:35:01 1998
X-Mailer: exmh version 2.0.2 2/24/98
Reply-to: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
X-Sender: cy
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
cc: Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG
Subject: Re: SKey and locked account 
In-reply-to: Your message of "Thu, 21 May 1998 20:05:20 EDT."
             <199805220005.UAA00936@khavrinen.lcs.mit.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 23 May 1998 06:34:56 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

> <<On Thu, 21 May 1998 18:31:48 +0200, Philippe Regnauld <regnauld@deepo.prosa
.dk> said:
> 
> > 1) First thing I noticed is that it's possible for someone to log
> >    into the system, even if the account is disabled ('*' in the 
> >    passwd field), when S/Key is enabled for that user.  
> 
> Having an invalid password in the password file doesn't mean that the
> account is disabled; it just means that that user can't use a
> plain-text password to log in.  Several of us have invalid passwords
> on freefall since we always use an alternative authentication
> mechanism like S/Key.

A trick I use is to set NIS+ (or NIS) passwords to "*" which forces 
users to use Kerberos authentication while using NIS+ (or NIS) for UID 
to username mapping.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Government of BC            




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message