Date: Sat, 23 May 1998 06:34:56 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <199805231335.GAA12539@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 21 May 1998 20:05:20 EDT." <199805220005.UAA00936@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> <<On Thu, 21 May 1998 18:31:48 +0200, Philippe Regnauld <regnauld@deepo.prosa .dk> said: > > > 1) First thing I noticed is that it's possible for someone to log > > into the system, even if the account is disabled ('*' in the > > passwd field), when S/Key is enabled for that user. > > Having an invalid password in the password file doesn't mean that the > account is disabled; it just means that that user can't use a > plain-text password to log in. Several of us have invalid passwords > on freefall since we always use an alternative authentication > mechanism like S/Key. A trick I use is to set NIS+ (or NIS) passwords to "*" which forces users to use Kerberos authentication while using NIS+ (or NIS) for UID to username mapping. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805231335.GAA12539>