From owner-freebsd-security  Wed Apr 12 11:51:05 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id LAA20191
          for security-outgoing; Wed, 12 Apr 1995 11:51:05 -0700
Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA20185
          ; Wed, 12 Apr 1995 11:51:03 -0700
Received: (from pst@localhost) by precipice.shockwave.com (8.6.11/8.6.9) id LAA24509; Wed, 12 Apr 1995 11:50:29 -0700
Date: Wed, 12 Apr 1995 11:50:29 -0700
From: Paul Traina <pst@Shockwave.COM>
Message-Id: <199504121850.LAA24509@precipice.shockwave.com>
To: security@FreeBSD.org, wollman@FreeBSD.org
Subject: one way of fixing the kerberos/skey interaction
Sender: security-owner@FreeBSD.org
Precedence: bulk

*** login.c	Sat Jan 14 19:14:10 1995
--- /tmp/login.c	Wed Apr 12 11:49:45 1995
***************
*** 274,279 ****
--- 274,290 ----
  
  		if (pwd) {
  #ifdef KERBEROS
+ #ifdef SKEY
+ 			/*
+ 			 * Do not allow user to type in kerberos password
+ 			 * over the net (actually, this is ok for encrypted
+ 			 * links, but we have no way of determining if the
+ 			 * link is encrypted.
+ 			 */
+ 			if (!permit_password) {
+ 				rval = 1;		/* failed */
+ 			} else
+ #endif
  			rval = klogin(pwd, instance, localhost, p);
  			if (rval != 0 && rootlogin && pwd->pw_uid != 0)
  				rootlogin = 0;