From bicknell@ussrepulse.ufp.org  Sat May 13 12:46:01 2000
Return-Path: <bicknell@ussrepulse.ufp.org>
Received: from ussrepulse.ufp.org (ussrepulse.ufp.org [209.249.106.100])
	by hub.freebsd.org (Postfix) with ESMTP id 7CCFF37B51E
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 13 May 2000 12:46:00 -0700 (PDT)
	(envelope-from bicknell@ussrepulse.ufp.org)
Received: (from bicknell@localhost)
	by ussrepulse.ufp.org (8.9.3/8.9.3) id PAA21516;
	Sat, 13 May 2000 15:45:59 -0400 (EDT)
	(envelope-from bicknell)
Message-Id: <200005131945.PAA21516@ussrepulse.ufp.org>
Date: Sat, 13 May 2000 15:45:59 -0400 (EDT)
From: Leo Bicknell <bicknell@ussrepulse.ufp.org>
Reply-To: bicknell@ussrepulse.ufp.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: No way to remove S/Key entries from /etc/skeykeys
X-Send-Pr-Version: 3.2

>Number:         18535
>Category:       bin
>Synopsis:       No way to remove S/Key entries from /etc/skeykeys
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 13 12:50:00 PDT 2000
>Closed-Date:    Sun Jun 08 11:00:54 PDT 2003
>Last-Modified:  Sun Jun 08 11:00:54 PDT 2003
>Originator:     Leo Bicknell
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
United Federation of Planets
>Environment:

	Applies to all versions of FreeBSD with S/Key support.

>Description:

	When S/Key authentication is enabled, a user can run keyinit to
generate keys in /etc/skeykeys.  That user can then use unsecured channels
to access the host with one time passwords.  When the user no longer wants
S/Key access though there is no easy way to remove the S/Key passwords.

	Consider a user who only uses S/Key when on a trip at unsecured
terminals, and the rest of the time uses ssh or kerberized telnet.  Upon
return the user would like to clear all S/Key entries, so there is no
possbility of someone being able to log in with S/Key, even if they have
the users secret password.

	This could also be useful if the users secret password was compromised.

	The only known way to clear the entries is to continue to log on
until all the keys are used up.

>How-To-Repeat:

	Configure S/Key. :-)

>Fix:

	I suggest a command such as "keyclear" that removes the user's
S/Key entry from /etc/skeykeys.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: schweikh 
State-Changed-When: Tue Aug 13 14:06:54 PDT 2002 
State-Changed-Why:  
Is a recent skey installation still not able to do this? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18535 
State-Changed-From-To: feedback->closed 
State-Changed-By: ceri 
State-Changed-When: Sun Jun 8 11:00:52 PDT 2003 
State-Changed-Why:  
Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates. 


Responsible-Changed-From-To: freebsd-bugs->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Sun Jun 8 11:00:52 PDT 2003 
Responsible-Changed-Why:  
Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18535 
>Unformatted:
