From owner-freebsd-bugs Sat May 13 12:50: 7 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id CAF0837BB49 for ; Sat, 13 May 2000 12:50:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id MAA96703; Sat, 13 May 2000 12:50:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from ussrepulse.ufp.org (ussrepulse.ufp.org [209.249.106.100]) by hub.freebsd.org (Postfix) with ESMTP id 7CCFF37B51E for ; Sat, 13 May 2000 12:46:00 -0700 (PDT) (envelope-from bicknell@ussrepulse.ufp.org) Received: (from bicknell@localhost) by ussrepulse.ufp.org (8.9.3/8.9.3) id PAA21516; Sat, 13 May 2000 15:45:59 -0400 (EDT) (envelope-from bicknell) Message-Id: <200005131945.PAA21516@ussrepulse.ufp.org> Date: Sat, 13 May 2000 15:45:59 -0400 (EDT) From: Leo Bicknell Reply-To: bicknell@ussrepulse.ufp.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/18535: No way to remove S/Key entries from /etc/skeykeys Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 18535 >Category: bin >Synopsis: No way to remove S/Key entries from /etc/skeykeys >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: wish >Submitter-Id: current-users >Arrival-Date: Sat May 13 12:50:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Leo Bicknell >Release: FreeBSD 4.0-STABLE i386 >Organization: United Federation of Planets >Environment: Applies to all versions of FreeBSD with S/Key support. >Description: When S/Key authentication is enabled, a user can run keyinit to generate keys in /etc/skeykeys. That user can then use unsecured channels to access the host with one time passwords. When the user no longer wants S/Key access though there is no easy way to remove the S/Key passwords. Consider a user who only uses S/Key when on a trip at unsecured terminals, and the rest of the time uses ssh or kerberized telnet. Upon return the user would like to clear all S/Key entries, so there is no possbility of someone being able to log in with S/Key, even if they have the users secret password. This could also be useful if the users secret password was compromised. The only known way to clear the entries is to continue to log on until all the keys are used up. >How-To-Repeat: Configure S/Key. :-) >Fix: I suggest a command such as "keyclear" that removes the user's S/Key entry from /etc/skeykeys. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message