Date: Fri, 22 May 1998 10:12:15 +0200 From: Philippe Regnauld <regnauld@deepo.prosa.dk> To: Mike Smith <mike@smith.net.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <19980522101215.41390@deepo.prosa.dk> In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>; from Mike Smith on Thu, May 21, 1998 at 04:38:30PM -0700 References: <19980521183148.07894@deepo.prosa.dk> <199805212338.QAA05467@antipodes.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Smith writes:
> > I'm currently experimenting with 2.2.6, FWTK and skey.
> >
> > 1) First thing I noticed is that it's possible for someone to log
> > into the system, even if the account is disabled ('*' in the
> > passwd field), when S/Key is enabled for that user.
> >
> > Surprise to me.
>
> "*" does not disable an account - it is an invalid crypted string which
> will fail to match any crypted plaintext password, as used by login,
> the r* commands and ftp (when FTP is not using s/key).
Ok -- just referrring to the man page:
The password field is the encrypted form of the password. If the
password field is empty, no password will be required to gain access to
the machine. This is almost invariably a mistake. Because these files
contain the encrypted user passwords, they should not be readable by any-
one without appropriate privileges. Administrative accounts have a pass-
word field containing an asterisk `*' which disallows normal logins.
... it doesn't mention the fact that they _also_ have an invalid
shell.
--
-[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
«Pluto placed his bad dog at the entrance of Hades to keep the dead
IN and the living OUT! The archetypical corporate firewall?»
- S. Kelly Bootle
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980522101215.41390>