Date: Thu, 21 May 1998 16:38:30 -0700 From: Mike Smith <mike@smith.net.au> To: Philippe Regnauld <regnauld@deepo.prosa.dk> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <199805212338.QAA05467@antipodes.cdrom.com> In-Reply-To: Your message of "Thu, 21 May 1998 18:31:48 %2B0200." <19980521183148.07894@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm currently experimenting with 2.2.6, FWTK and skey.
>
> 1) First thing I noticed is that it's possible for someone to log
> into the system, even if the account is disabled ('*' in the
> passwd field), when S/Key is enabled for that user.
>
> Surprise to me.
"*" does not disable an account - it is an invalid crypted string which
will fail to match any crypted plaintext password, as used by login,
the r* commands and ftp (when FTP is not using s/key).
If you wish to disable a user's account, you should set their shell to
something nonexistent. (Note that ssh may still be a way past this.)
--
\\ Sometimes you're ahead, \\ Mike Smith
\\ sometimes you're behind. \\ mike@smith.net.au
\\ The race is long, and in the \\ msmith@freebsd.org
\\ end it's only with yourself. \\ msmith@cdrom.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805212338.QAA05467>