Date: Sat, 13 May 2000 15:45:59 -0400 (EDT) From: Leo Bicknell <bicknell@ussrepulse.ufp.org> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/18535: No way to remove S/Key entries from /etc/skeykeys Message-ID: <200005131945.PAA21516@ussrepulse.ufp.org>
next in thread | raw e-mail | index | archive | help
>Number: 18535 >Category: bin >Synopsis: No way to remove S/Key entries from /etc/skeykeys >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: wish >Submitter-Id: current-users >Arrival-Date: Sat May 13 12:50:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Leo Bicknell >Release: FreeBSD 4.0-STABLE i386 >Organization: United Federation of Planets >Environment: Applies to all versions of FreeBSD with S/Key support. >Description: When S/Key authentication is enabled, a user can run keyinit to generate keys in /etc/skeykeys. That user can then use unsecured channels to access the host with one time passwords. When the user no longer wants S/Key access though there is no easy way to remove the S/Key passwords. Consider a user who only uses S/Key when on a trip at unsecured terminals, and the rest of the time uses ssh or kerberized telnet. Upon return the user would like to clear all S/Key entries, so there is no possbility of someone being able to log in with S/Key, even if they have the users secret password. This could also be useful if the users secret password was compromised. The only known way to clear the entries is to continue to log on until all the keys are used up. >How-To-Repeat: Configure S/Key. :-) >Fix: I suggest a command such as "keyclear" that removes the user's S/Key entry from /etc/skeykeys. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005131945.PAA21516>