mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-29 06:47:21 +01:00
110af3d672
2 Added optional excessive login logging. 3) Added login acces control on a per host/tty base. 4) See skey(1) for skey descriptions and src/usr.bin/login/README for the logging and access control features. -Guido
101 lines
3.3 KiB
Plaintext
101 lines
3.3 KiB
Plaintext
One of the nice things of S/Key is that it still leaves you the option
|
|
to use regular UNIX passwords. In fact, the presence of S/Key support
|
|
is completely invisible for a user until she has set up a password with
|
|
the keyinit command. You can permit regular UNIX passwords for local
|
|
logins, while at the same time insisting on S/Key passwords for logins
|
|
from outside.
|
|
|
|
ORIGIN
|
|
|
|
These files are modified versions of the s/key files found on
|
|
thumper.bellcore.com at 21 oct 1993. They have been fixed to
|
|
run on top of SunOS 4.1.3 and Solaris 2.3.
|
|
|
|
Installation is described at the end of this file.
|
|
|
|
USAGE
|
|
|
|
Use the keyinit command to set up a new series of s/key passwords.
|
|
|
|
wzv_6% keyinit
|
|
Updating wietse:
|
|
Old key: wz173500
|
|
Reminder - Only use this method if you are direct connected.
|
|
If you are using telnet or dial-in exit with no password and use keyinit -s.
|
|
Enter secret password:
|
|
Again secret password:
|
|
|
|
ID wietse s/key is 99 wz173501
|
|
BLAH BLA BLAH BLAH BLAH BLA
|
|
|
|
Be sure to make your secret password sufficiently long. Try using a
|
|
full sentence instead of just one single word.
|
|
|
|
You will have to do a "keyinit" on every system that you want to login
|
|
on using one-time passwords.
|
|
|
|
Whenever you log into an s/key protected system you will see
|
|
something like:
|
|
|
|
login: wietse
|
|
s/key 98 wz173501
|
|
Password:
|
|
|
|
In this case you can either enter your regular UNIX password or
|
|
your one-time s/key password. For example, I open a local window
|
|
to compute the password:
|
|
|
|
local% key 98 wz173501
|
|
Reminder - Do not use key while logged in via telnet or rlogin.
|
|
Enter secret password:
|
|
BLAH BLA BLAH BLAH BLAH BLA
|
|
|
|
The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password.
|
|
|
|
If you have to type the one-time password in by hand, it is convenient
|
|
to have echo turned on so that you can correct typing errors. Just type
|
|
a newline at the "Password:" prompt:
|
|
|
|
login: wietse
|
|
s/key 98 wz173501
|
|
Password: (turning echo on)
|
|
Password:BLAH BLA BLAH BLAH BLAH BLA
|
|
|
|
The 98 in the challenge will be 97 the next time, and so on. You'll get
|
|
a warning when you are about to run out of s/key passwords, so that you
|
|
will have to run the keyinit command again.
|
|
|
|
Sometimes it is more practical to carry a piece of paper with a small
|
|
series of one-time passwords. You can generate the list with:
|
|
|
|
% key -n 10 98 wz173501
|
|
98: BLAH BLA BLAH BLAH BLAH BLA
|
|
97: ...
|
|
96: ...
|
|
|
|
Be careful when printing material like this!
|
|
|
|
INSTALLATION
|
|
|
|
To install, do: make sunos4 (or whatever), then: make install.
|
|
|
|
The UNIX password is always permitted with non-network logins. By
|
|
default, UNIX passwords are always permitted (the Bellcore code by
|
|
default disallows UNIX passwords but I think that is too painful). In
|
|
order to permit UNIX passwords only with logins from specific networks,
|
|
create a file /etc/skey.access. For example,
|
|
|
|
# First word says if UNIX passwords are to be permitted or denied.
|
|
# remainder of the rule is a networknumber and mask. A rule matches a
|
|
# host if any of its addresses satisfies:
|
|
#
|
|
# network = (address & mask)
|
|
#
|
|
#what network mask
|
|
permit 131.155.210.0 255.255.255.0
|
|
deny 0.0.0.0 0.0.0.0
|
|
|
|
This particular example will permit UNIX passwords with logins from any
|
|
host on network 131.155.210, but will insist on one-time passwords in
|
|
all other cases.
|