Date: Thu, 21 May 1998 16:38:30 -0700 From: Mike Smith <mike@smith.net.au> To: Philippe Regnauld <regnauld@deepo.prosa.dk> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <199805212338.QAA05467@antipodes.cdrom.com> In-Reply-To: Your message of "Thu, 21 May 1998 18:31:48 %2B0200." <19980521183148.07894@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm currently experimenting with 2.2.6, FWTK and skey. > > 1) First thing I noticed is that it's possible for someone to log > into the system, even if the account is disabled ('*' in the > passwd field), when S/Key is enabled for that user. > > Surprise to me. "*" does not disable an account - it is an invalid crypted string which will fail to match any crypted plaintext password, as used by login, the r* commands and ftp (when FTP is not using s/key). If you wish to disable a user's account, you should set their shell to something nonexistent. (Note that ssh may still be a way past this.) -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805212338.QAA05467>