From bradley@ns2.harborcom.net  Sat Dec 21 23:09:36 1996
Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id XAA22108
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 21 Dec 1996 23:09:36 -0800 (PST)
Received: (from bradley@localhost)
          by ns2.harborcom.net (8.8.4/8.8.4)
	  id CAA06352; Sun, 22 Dec 1996 02:09:35 -0500 (EST)
Message-Id: <199612220709.CAA06352@ns2.harborcom.net>
Date: Sun, 22 Dec 1996 02:09:35 -0500 (EST)
From: bradley@dunn.org
Reply-To: bradley@dunn.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: su(1) does not call skeyaccess()
X-Send-Pr-Version: 3.2

>Number:         2265
>Category:       bin
>Synopsis:       su(1) does not call skeyaccess()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 21 23:10:01 PST 1996
>Closed-Date:    Wed Jun 13 07:32:56 PDT 2001
>Last-Modified:  Wed Jun 13 07:34:20 PDT 2001
>Originator:     Bradley Dunn
>Release:        FreeBSD 2.1.6-RELEASE i386
>Organization:
HarborCom
>Environment:

	Stock 2.1.6-RELEASE system. Problem exists on all versions of FreeBSD.

>Description:

	su(1) does not call skeyaccess() (from libskey), thus rendering the
controls in /etc/skey.access useless.

>How-To-Repeat:

	grep skeyaccess /usr/src/usr.bin/su/*

>Fix:
	
	Add call to skeyaccess() in su.c. Example implementations are in login(1)
and ftpd(8).

>Release-Note:
>Audit-Trail:

From: J Wunsch <j@uriah.heep.sax.de>
To: bradley@dunn.org
Cc: FreeBSD-gnats-submit@freebsd.org, guido@gvr.win.tue.nl (Guido van Rooij)
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Sun, 22 Dec 1996 10:33:24 +0100 (MET)

 As bradley@dunn.org wrote:
 
 > >Description:
 > 
 > 	su(1) does not call skeyaccess() (from libskey), thus rendering the
 > controls in /etc/skey.access useless.
 
 Well, it rather seems like it was deliberately omitted, as opposed to
 forgotten.  A user running su(1) has already been authenticated to the
 system, and _that's_ where skey.access should hit.
 
 Guido, any comments on this (and perhaps even a manpage for
 skeyaccess(3) :)?
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)

From: Bradley Dunn <bradley@dunn.org>
To: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de>
Cc: FreeBSD-gnats-submit@freebsd.org, Guido van Rooij <guido@gvr.win.tue.nl>
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Sun, 22 Dec 1996 11:41:41 -0500 ()

 On Sun, 22 Dec 1996, J Wunsch wrote:
 
 > As bradley@dunn.org wrote:
 > 
 > > >Description:
 > > 
 > > 	su(1) does not call skeyaccess() (from libskey), thus rendering the
 > > controls in /etc/skey.access useless.
 > 
 > Well, it rather seems like it was deliberately omitted, as opposed to
 > forgotten.  A user running su(1) has already been authenticated to the
 > system, and _that's_ where skey.access should hit.
 
 Someone running su(1) has already been authenticated, but as someone else.
 
 I think that if one puts a "deny user foo" in skey.access, the intention
 is that foo should not be able to gain access to the system using foo's
 UNIX password. With the current su, foo has a way of gaining access with
 his UNIX password, even though it is desired that he not be able to.
 
 -BD
 

From: Guido van Rooij <guido@gvr.win.tue.nl>
To: bradley@dunn.org (Bradley Dunn)
Cc: joerg_wunsch@uriah.heep.sax.de, FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Mon, 23 Dec 1996 18:12:57 +0100 (MET)

 Bradley Dunn wrote:
 > Someone running su(1) has already been authenticated, but as someone else.
 > 
 
 Correct.
 
 > I think that if one puts a "deny user foo" in skey.access, the intention
 > is that foo should not be able to gain access to the system using foo's
 > UNIX password. With the current su, foo has a way of gaining access with
 > his UNIX password, even though it is desired that he not be able to.A
 
 All of your reasoning is correct. If there's enough demand, I'll add
 the su skey code to su.
 Btw: there is a manpage for skey.access:
 	skey.access(5)           - S/Key password control table
 
 
 -Guido

From: Guido van Rooij <guido@gvr.win.tue.nl>
To: joerg_wunsch@uriah.heep.sax.de
Cc: bradley@dunn.org, FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Mon, 23 Dec 1996 18:09:34 +0100 (MET)

 J Wunsch wrote:
 > As bradley@dunn.org wrote:
 > 
 > > >Description:
 > > 
 > > 	su(1) does not call skeyaccess() (from libskey), thus rendering the
 > > controls in /etc/skey.access useless.
 > 
 > Well, it rather seems like it was deliberately omitted, as opposed to
 > forgotten.  A user running su(1) has already been authenticated to the
 > system, and _that's_ where skey.access should hit.
 > 
 > Guido, any comments on this (and perhaps even a manpage for
 > skeyaccess(3) :)?
 
 Not really. We use a modified su all the time. The advantage is that you
 never have to type in the root password over an insecure line.
 If there is enough demand I can add it. I will look for the manpage;
 I thought I'd already add it.
 
 -Guido
State-Changed-From-To: open->analyzed 
State-Changed-By: guido 
State-Changed-When: Sat Jan 4 00:19:51 MET 1997 
State-Changed-Why:  
I will try to get the skeyaccess into su asap. Further I'll try to  
come up with a manpage for skeyaccess(3). 
Responsible-Changed-From-To: freebsd-bugs->guido 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Tue Feb 25 22:40:58 PST 1997 
Responsible-Changed-Why:  
Guido said he was working on this in the audit trail of 
this PR. 

From: Guido van Rooij <guido@gvr.win.tue.nl>
To: guido@gvr.win.tue.nl (guido)
Cc: bradley@dunn.org, joerg_wunsch@uriah.heep.sax.de,
        FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Thu, 27 Mar 1997 21:15:15 +0100 (MET)

 After discussion with Wietse I think we should consider not doing this
 change. The argument: 
 keysu cannot reliably determine where the user is logged in from.
 The hostname in /etc/utmp may be truncated.
 

From: Bradley Dunn <bradley@dunn.org>
To: Guido van Rooij <guido@gvr.win.tue.nl>
Cc: joerg_wunsch@uriah.heep.sax.de, FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2265: su(1) does not call skeyaccess()
Date: Thu, 27 Mar 1997 15:32:41 -0500 (EST)

 On Thu, 27 Mar 1997, Guido van Rooij wrote:
 
 > After discussion with Wietse I think we should consider not doing this
 > change. The argument: 
 > keysu cannot reliably determine where the user is logged in from.
 > The hostname in /etc/utmp may be truncated.
 
 I thought FreeBSD avoided this by using the IP address if hostname >
 UT_HOSTSIZE?
 
 
 pbd
 
Responsible-Changed-From-To: guido->markm 
Responsible-Changed-By: nra 
Responsible-Changed-When: Wed Jun 13 07:26:36 PDT 2001 
Responsible-Changed-Why:  
markm just retired skey and PAMized su.  He will know 
how to deal with this PR.  Thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=2265 
State-Changed-From-To: analyzed->closed 
State-Changed-By: markm 
State-Changed-When: Wed Jun 13 07:32:56 PDT 2001 
State-Changed-Why:  
su(1) uses PAM, and PAM is responsible for skey-type activities. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=2265 
>Unformatted:
