From owner-freebsd-bugs  Wed Apr 12 11:20:08 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id LAA19592
          for bugs-outgoing; Wed, 12 Apr 1995 11:20:08 -0700
Received: (from gnats@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id LAA19585
          ; Wed, 12 Apr 1995 11:20:07 -0700
Date: Wed, 12 Apr 1995 11:20:07 -0700
Message-Id: <199504121820.LAA19585@freefall.cdrom.com>
From: Paul Traina <pst@Shockwave.COM>
Reply-To: Paul Traina <pst@Shockwave.COM>
To: freebsd-bugs
Subject: bin/339: kerberos violates s/key interaction rules
In-Reply-To: Your message of Wed, 12 Apr 1995 11:14:08 -0700
	<199504121814.LAA24399@precipice.shockwave.com>
Sender: bugs-owner@FreeBSD.org
Precedence: bulk


>Number:         339
>Category:       bin
>Synopsis:       users may enter kerberos password at login prompt
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 12 11:20:04 1995
>Originator:     Paul Traina
>Organization:
Shockwave Engineering
>Release:        FreeBSD 2.1.0-Development i386
>Environment:

FreeBSD with eBones made and installed, s/key enabled for a user,
kerberos tickets available for a user.

>Description:

There's a disconnect between kerberos and s/key access rules.

If I restrict password logins using /etc/skey.access in order to force
users to use one-time passwords (or a kerberos ticket),  if Kerberos is
enabled,  a user may enter their kerberos password at the login prompt
to gain access to the system.

The whole point of /etc/skey.access is to stop people from entering
passwords over the net,  so the /etc/skey.access system should apply
to locally entered kerberos tickets at the login prompt as well.

>How-To-Repeat:

pst@precipice$ rlogin -K remote-host
s/key 98 qu08742
(s/key required)
Password: <enter your kerberos password here>
Last login: Wed Apr 12 10:54:44 from precipice
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994

The Regents of the University of California.   All rights reserved.

FreeBSD 2.1.0-Development (QUEMADURA) #0: Tue Apr 11 11:54:26 PDT 1995

Welcome to FreeBSD!

>Fix:
	
This isn't totally trivial, because you want to allow kerberos athentication
to occur if a remote kerberos ticket has been validated.
>Audit-Trail:
>Unformatted: