Date: Sat, 23 May 1998 06:34:56 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <199805231335.GAA12539@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 21 May 1998 20:05:20 EDT." <199805220005.UAA00936@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> <<On Thu, 21 May 1998 18:31:48 +0200, Philippe Regnauld <regnauld@deepo.prosa
.dk> said:
>
> > 1) First thing I noticed is that it's possible for someone to log
> > into the system, even if the account is disabled ('*' in the
> > passwd field), when S/Key is enabled for that user.
>
> Having an invalid password in the password file doesn't mean that the
> account is disabled; it just means that that user can't use a
> plain-text password to log in. Several of us have invalid passwords
> on freefall since we always use an alternative authentication
> mechanism like S/Key.
A trick I use is to set NIS+ (or NIS) passwords to "*" which forces
users to use Kerberos authentication while using NIS+ (or NIS) for UID
to username mapping.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Open Systems Group Internet: cschuber@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Government of BC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805231335.GAA12539>