The configuration file /etc/skey.access can be used to
configure restrictions on the use of UNIX passwords based on the host
name, user name, terminal port, or IP address of a login session. The
complete format of the file is documented in the skey.access(5)
manual page; there are also some security cautions there which should
be read before depending on this file for security.
If there is no /etc/skey.access file (which is the default
state as FreeBSD is shipped), then all users will be allowed to use
UNIX passwords. If the file exists, however, then all users will be
required to use S/Key unless explicitly permitted to do otherwise by
configuration statements in the skey.access file. In all cases,
UNIX passwords are permitted on the console.
Here is a sample configuration file which illustrates the three most common sorts of configuration statements:
permit internet 18.26.0.0 255.255.0.0
permit user jrl
permit port ttyd0
The first line (`permit internet') allows users whose IP source
address (which is vulnerable to spoofing) matches the specified value
and mask, to use UNIX passwords. This should not be considered a
security mechanism, but rather, a means to remind authorized users
that they are using an insecure network and need to use S/Key for
authentication.
The second line (`permit user') allows the specified user to
use UNIX passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the `key'
program, like those with dumb terminals, or those who are uneducable.
The third line (`permit port') allows all users logging in on
the specified terminal line to use UNIX passwords; this would be used
for dial-ups.