From owner-freebsd-security Thu Apr 8 12:22:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id 403AC14DC9 for ; Thu, 8 Apr 1999 12:22:50 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id PAA18727 for FreeBsd-security@freebsd.org; Thu, 8 Apr 1999 15:20:44 -0400 (EDT) Date: Thu, 8 Apr 1999 15:20:42 -0400 (EDT) From: Daniel Hagan To: FreeBsd-security@freebsd.org Subject: Login & s/key brain damage? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a FreeBSD-3.1-Release system, I've configured the following in /etc/skey.access ----->8----- permit group wheel internet (my network) (my netmask) # Force everyone to login with skey. deny ----->8----- This seems to work just as advertised, except for one thing: Logging in with an invalid username results in immediate error message while valid accounts proceed to the password prompt: ----->8----- %telnet localhost Trying 127.0.0.1... Connected to localhost.cs.vt.edu. Escape character is '^]'. FreeBSD/i386 (myhost.cs.vt.edu) (ttyp2) login: bozo Login incorrect login: root s/key 94 po93853 Password: ----->8----- It seems to me that a more correct behavior would be to always present a (possibly random) skey challenge, and only reject the login after they try a password. This current situation seems to present an easy way of id-ing userid's on a system that someone wants secure. Is this correct behavior, or should we think about modifying login(1)? Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message