Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Apr 1995 11:20:07 -0700
From:      Paul Traina <pst@Shockwave.COM>
To:        freebsd-bugs
Subject:   bin/339: kerberos violates s/key interaction rules
Message-ID:  <199504121820.LAA19585@freefall.cdrom.com>
In-Reply-To: Your message of Wed, 12 Apr 1995 11:14:08 -0700 <199504121814.LAA24399@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>Number:         339
>Category:       bin
>Synopsis:       users may enter kerberos password at login prompt
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 12 11:20:04 1995
>Originator:     Paul Traina
>Organization:
Shockwave Engineering
>Release:        FreeBSD 2.1.0-Development i386
>Environment:

FreeBSD with eBones made and installed, s/key enabled for a user,
kerberos tickets available for a user.

>Description:

There's a disconnect between kerberos and s/key access rules.

If I restrict password logins using /etc/skey.access in order to force
users to use one-time passwords (or a kerberos ticket),  if Kerberos is
enabled,  a user may enter their kerberos password at the login prompt
to gain access to the system.

The whole point of /etc/skey.access is to stop people from entering
passwords over the net,  so the /etc/skey.access system should apply
to locally entered kerberos tickets at the login prompt as well.

>How-To-Repeat:

pst@precipice$ rlogin -K remote-host
s/key 98 qu08742
(s/key required)
Password: <enter your kerberos password here>
Last login: Wed Apr 12 10:54:44 from precipice
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994

The Regents of the University of California.   All rights reserved.

FreeBSD 2.1.0-Development (QUEMADURA) #0: Tue Apr 11 11:54:26 PDT 1995

Welcome to FreeBSD!

>Fix:
	
This isn't totally trivial, because you want to allow kerberos athentication
to occur if a remote kerberos ticket has been validated.
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504121820.LAA19585>