From owner-freebsd-security  Thu May 21 17:43:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA13614
          for freebsd-security-outgoing; Thu, 21 May 1998 17:43:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from antipodes.cdrom.com (castles145.castles.com [208.214.165.145])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13432
          for <freebsd-security@FreeBSD.ORG>; Thu, 21 May 1998 17:42:28 -0700 (PDT)
          (envelope-from mike@antipodes.cdrom.com)
Received: from antipodes.cdrom.com (localhost [127.0.0.1])
	by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id QAA05467;
	Thu, 21 May 1998 16:38:30 -0700 (PDT)
Message-Id: <199805212338.QAA05467@antipodes.cdrom.com>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: SKey and locked account 
In-reply-to: Your message of "Thu, 21 May 1998 18:31:48 +0200."
             <19980521183148.07894@deepo.prosa.dk> 
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Date: Thu, 21 May 1998 16:38:30 -0700
From: Mike Smith <mike@smith.net.au>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAA13455
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

> I'm currently experimenting with 2.2.6, FWTK and skey.
> 
> 1) First thing I noticed is that it's possible for someone to log
>    into the system, even if the account is disabled ('*' in the 
>    passwd field), when S/Key is enabled for that user.  
> 
>    Surprise to me.

"*" does not disable an account - it is an invalid crypted string which 
will fail to match any crypted plaintext password, as used by login, 
the r* commands and ftp (when FTP is not using s/key).

If you wish to disable a user's account, you should set their shell to 
something nonexistent.  (Note that ssh may still be a way past this.)

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\  msmith@cdrom.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message