From pst@Shockwave.COM  Wed Apr 12 11:14:44 1995
Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA19521
          ; Wed, 12 Apr 1995 11:14:43 -0700
Received: (from pst@localhost) by precipice.shockwave.com (8.6.11/8.6.9) id LAA24399; Wed, 12 Apr 1995 11:14:08 -0700
Message-Id: <199504121814.LAA24399@precipice.shockwave.com>
Date: Wed, 12 Apr 1995 11:14:08 -0700
From: Paul Traina <pst@Shockwave.COM>
Reply-To: pst@Shockwave.COM
To: FreeBSD-gnats-submit@freebsd.org
Cc: wollman@freebsd.org
Subject: kerberos violates s/key interaction rules
X-Send-Pr-Version: 3.2

>Number:         339
>Category:       bin
>Synopsis:       users may enter kerberos password at login prompt
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 12 11:20:04 1995
>Closed-Date:    Thu Apr 13 08:20:52 PDT 1995
>Last-Modified:
>Originator:     Paul Traina
>Release:        FreeBSD 2.1.0-Development i386
>Organization:
Shockwave Engineering
>Environment:

FreeBSD with eBones made and installed, s/key enabled for a user,
kerberos tickets available for a user.

>Description:

There's a disconnect between kerberos and s/key access rules.

If I restrict password logins using /etc/skey.access in order to force
users to use one-time passwords (or a kerberos ticket),  if Kerberos is
enabled,  a user may enter their kerberos password at the login prompt
to gain access to the system.

The whole point of /etc/skey.access is to stop people from entering
passwords over the net,  so the /etc/skey.access system should apply
to locally entered kerberos tickets at the login prompt as well.

>How-To-Repeat:

pst@precipice$ rlogin -K remote-host
s/key 98 qu08742
(s/key required)
Password: <enter your kerberos password here>
Last login: Wed Apr 12 10:54:44 from precipice
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994

The Regents of the University of California.   All rights reserved.

FreeBSD 2.1.0-Development (QUEMADURA) #0: Tue Apr 11 11:54:26 PDT 1995

Welcome to FreeBSD!

>Fix:
	
This isn't totally trivial, because you want to allow kerberos athentication
to occur if a remote kerberos ticket has been validated.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Thu Apr 13 08:20:52 PDT 1995 
State-Changed-Why:  
Paul's suggested patch appears to do the right thing, applied in login.c 1.8. 
>Unformatted:



