From owner-man-jp-reviewer@jp.freebsd.org  Wed Jun 24 17:40:10 1998
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) id RAA27689;
	Wed, 24 Jun 1998 17:40:10 +0900 (JST)
	(envelope-from owner-man-jp-reviewer@jp.FreeBSD.org)
Received: from hitiij.hitachi.co.jp (root@hitiij.hitachi.co.jp [133.145.224.3])
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) with ESMTP id RAA27678
	for <man-jp-reviewer@jp.freebsd.org>; Wed, 24 Jun 1998 17:40:08 +0900 (JST)
	(envelope-from horikawa@ebina.hitachi.co.jp)
Received: from newton.ebina.hitachi.co.jp by hitiij.hitachi.co.jp (8.8.8+2.7Wbeta7/3.6W-hitiij) id RAA24553; Wed, 24 Jun 1998 17:36:18 +0900 (JST)
Received: from neunman.ebina.hitachi.co.jp by newton.ebina.hitachi.co.jp (8.7.5/3.4W-EBINA) id RAA01675 for <man-jp-reviewer@jp.freebsd.org>; Wed, 24 Jun 1998 17:40:02 +0900 (JST)
Received: from localhost by neunman.ebina.hitachi.co.jp (8.6.12+2.5Wb7/3.4W-EBINA-local) id RAA04263 for <man-jp-reviewer@jp.freebsd.org>; Wed, 24 Jun 1998 17:42:45 +0900
To: man-jp-reviewer@jp.freebsd.org
In-Reply-To: Your message of "Wed, 24 Jun 1998 04:29:03 +0900"
	<199806231929.EAA23284@poker.wada>
References: <199806231929.EAA23284@poker.wada>
X-Mailer: Mew version 1.92.4 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <19980624174000R.horikawa@ebina.hitachi.co.jp>
Date: Wed, 24 Jun 1998 17:40:00 +0900 (JST)
From: Kazuo Horikawa <horikawa@ebina.hitachi.co.jp>
X-Dispatcher: imput version 971024
Lines: 159
Reply-To: man-jp-reviewer@jp.freebsd.org
Precedence: list
X-Distribute: distribute [version 2.1 (Alpha) patchlevel=24]
X-Sequence: man-jp-reviewer 277
Subject: [man-jp-reviewer 277] Re: skey.access.5
Errors-To: owner-man-jp-reviewer@jp.freebsd.org
Sender: owner-man-jp-reviewer@jp.freebsd.org

 $BKY@n$G$9!#(B

 $B$6$C$/$j$H8+$^$7$?!#(B

> .SH $B2r@b(B
> S/key$B!&%Q%9%o!<%I!&%3%s%H%m!<%k!&%F!<%V%k(B(\fIetc/skey.access\fR)$B$O!"(B
> UNIX$B%Q%9%o!<%I$,%7%9%F%`$K%"%/%;%9$9$k$?$a$K$$$D;H$o$l$k$+$r(B
> $B%m%0%$%s$J$I$N%W%m%0%i%`$,7hDj$9$k$?$a$K;HMQ$5$l$^$9!#(B
 login $B$O(B login $B%3%^%s%I$r;X$7$F$$$k$H;W$$$^$9$N$G!"86J8$I$*$j(B 
\fIlogin\fR $B$H$7$F$*$$$F$/$@$5$$!#(B

> .SH $B=q<0(B
 $B!V(B.SH $B=q<0!W$G$9$H!V(B.SH SYNOPSIS$B!W$NLu$H>WFM$7$^$9$7!"86J8$O!V(B.SH
"TABLE FORMAT"$B!W$G$9$N$G!"!V(B.SH $B%F!<%V%k$N=q<0!W$J$I$H$7$F$/$@$5$$!#(B

> $B%F!<%V%k$N%U%)!<%^%C%H$O(B1$B9TEv$?$j(B1$B%k!<%k$G$"$k!#(B
 $B$G$9$^$9D4$K$7$F$/$@$5$$!#(B

> .I permit
> $B$H(B
> .I deny
> $B$K$O(B0$B$^$?$O$$$/$D$+$N>r7o$,=q$1$^$9!#(B
$B$N8e$K$O(B 0 $B8D0J>e$N>r7o$r5-=R2DG=$G$9!#(B
# permit and deny may be followed by zero or more conditions.

> $B%3%a%s%H$O(B`#\'$B$G;O$^$j!"$=$N0l9T$9$Y$F$,%3%a%s%H$K$J$j$^$9!#(B
 Comments begin with a `#\' character, and extend through the end of
the line. $B$J$N$G!"(B
 $B%3%a%s%H$O(B`#\'$B$G;O$^$j!"9TKv$^$G%3%a%s%H$K$J$j$^$9!#(B
$B$G$7$g$&!#(B

> $B6u9T$d%3%a%s%H9T$OL5;k$5$l$^$9!#(B
        $B%3%a%s%H$N$_$N9T$OL5;k$5$l$^$9!#(B
# Empty lines or lines with only comments are ignored.

> $BNc$($P!":G8e$N%(%s%H%j!<$O(B
> .I deny
> $B$r$A$g$&$I$=$N%i%$%s$K;}$D$h$&$K$9$k$3$H$,$G$-$^$9!#(B
# For example, the last entry could be a line with just the word deny on
# it.
$BNc$($P!":G8e$N%(%s%H%j$O8l(B deny $B$N$_$H$J$C$F$$$k$+$b$7$l$^$;$s!#(B

> .IP "internet 131.155.210.0 255.255.255.0"
> 131.155.210.$B$N%M%C%H%o!<%/$+$i%m%0%$%s$7$?$i??$K$J$j$^$9!#(B
 131.155.210. $B$N:G8e$N%I%C%H$C$FMW$k$s$G$7$?$C$1!)(B

> internet $B%M%C%H%o!<%/%"%I%l%9(B $B%M%C%H%^%9%/(B
# internet net mask net
# $B$r%M%C%H%o!<%/%"%I%l%9$HLu$9!"(BThe expression is true ... $B$N$H$3$m$G(B
# $B6lO+$7$^$9$N$G!"$=$N$^$^$K$7$?J}$,NI$$$H;W$$$^$9!#(B
> $B%m%0%$%s$7$F$/$k%[%9%H$N%"%I%l%9$,;XDj$7$?%M%C%H%o!<%/%"%I%l%9$H(B
> $B%M%C%H%^%9%/$K9g$&>l9g??$K$J$j$^$9!#(B
mask $B$H$N%S%C%H$4$H$NO@M}@Q$,(B net $B$HEy$7$/$J$k%$%s%?!<%M%C%H%"%I%l%9$r(B
$B%[%9%H$,;}$D>l9g!"<0$O??$K$J$j$^$9!#(B

> .SH $B8_49@-(B
> $B2a5n$N8_49@-$N$?$a$K!"(B
> .I internet
> $B$H$$$&%-!<%o!<%I$O%M%C%H%o!<%/%"%I%l%9$H%^%9%/$N%Q%?!<%s$+$i(B
> $B>J$+$l$k$+$b$7$l$^$;$s!#(B
 $B$3$3$N(B may be $B$O5v2D$N0UL#$@$H;W$$$^$9!#(B
# For the sake of backwards compatibility, the internet keyword may be
# omitted from net/mask patterns.

> .SH $B7Y9p(B
> $B$$$/$D$+$N%k!<%k$N7?$,%[%9%HL>$d%M%C%H%o!<%/$rDL$7$FM?$($i$l$k(B
> $B%"%I%l%9$N>pJs$KMj$C$F$$$k!#(BUNIX$B%Q%9%o!<%I$KBP$7$F%7%9%F%`$,5v$7$F$$$k(B
> $B967b$,9M$($i$l$k%j%9%H$G$9!#(B
$B$$$/$D$+$N%k!<%k7?$O!"%M%C%H%o!<%/$rDL$8$FM?$($i$l$k%[%9%HL>$d%"%I%l%9>pJs$K(B
$B0MB8$7$F$$$^$9!#(B
# Several rule types depend on host name or address information obtained
# through the network.
# $B$N(B host name $B$H(B address (information) $B$,BP1~$9$k$b$N$G!"(B
# $BN><T$,(B obtained through the network $B$@$H8@5Z$7$F$$$k$H;W$$$^$9!#(B

$B$3$N$3$H$+$i9M$($i$l$k!"%7%9%F%`$K(B UNIX $B%Q%9%o!<%I$r5v$5$;$k967b$N0lMw$r(B
$B<($7$^$9!#(B
# What follows is a list of conceivable attacks to
# force the system to permit UNIX passwords.

> .IP "$B%[%9%H%"%I%l%9$N56B$(B Host address spoofing (source routing)"
> $B?/F~<T$O<+J,$N%$%s%?!<%U%'!<%9$r?.Mj$G$-$k%M%C%H%o!<%/$K$D$J$.!"(B
> $B$=$N%=!<%9%"%I%l%9$r;H$C$F$$$kHo32<T$K$D$J$2$^$9!#(B
> $B4V0c$C$F$$$k%/%i%$%"%s%H$N%"%I%l%9$,$"$k$H$9$l$P!"(B
> $BHo32<T$,4V0c$C$?7kO@$r%[%9%H%"%I%l%9$K4p$E$/$$$FF3$/$+!"(B
> $B%"%I%l%9$+$i0z$+$l$kL>A0$K4p$E$$$FF3$-$^$9!#(B
$B?/F~<T$O<+J,$N%$%s%?%U%'!<%9$r?.Mj$5$l$F$$$k%M%C%H%o!<%/$K@\B3$7!"(B
$B$=$N%=!<%9%"%I%l%9$r;HMQ$7$F!"Ho32<T$K@\B3$7$^$9!#(B
$B8m$C$?%/%i%$%"%s%H%"%I%l%9$rM?$($i$l$k$H!"(B
$B%[%9%H%"%I%l%9$K4p$E$/%k!<%k$b$7$/$O(B
$B%"%I%l%9$+$iF3$+$l$k%[%9%HL>$K4p$E$/%k!<%k$r85$K$7$F!"(B
$BHo32<T$O4V0c$C$?7kO@$rF3$-$^$9!#(B
# Given $B$N<g8l$O(B victim (UNIX password $B$r5v$7$F$7$^$&%[%9%H(B)$B$@$H;W$$$^$9!#(B
# An intruder configures a local interface to an address in a trusted
# network and connects to the victim using that source address.  Given
# the wrong client address, the victim draws the wrong conclusion from
# rules based on host addresses or from rules based on host names derived
# from addresses.

> $BBP=hK!(B: (1) $B%M%C%H%o!<%/$+$i$N(BUNIX$B%Q%9%o!<%I$rMQ$$$?%m%0%$%s$r5v$5$J$$(B
>  (2) $B%=!<%9%k!<%F%#%s%0$rCF$/%M%C%H%o!<%/%=%U%H%&%'%"$r;H$$$^$9!#(B
       $B%=!<%9%k!<%F%#%s%0>pJs$r<N$F$k%M%C%H%o!<%/%=%U%H%&%'%"$r;H$$$^$9!#(B
# use network software that discards source routing information

> $B$[$H$s$I$N%M%C%H%o!<%/%5!<%P$O%/%i%$%"%s%H$N%M%C%H%o!<%/%"%I%l%9$+$i(B
> $B%/%i%$%"%s%H$NL>A0$r2r7h$7$^$9!#(B
> $B<!$NL@$i$+$J967b$O$=$l$f$($G$9!#(B
$B$=$l$f$(!"<!$NL@$i$+$J967b$O0J2<$N$h$&$K$J$j$^$9!#(B

> .IP "$B%[%9%H%M!<%`56B$(B Host name spoofing (bad PTR record)"
> $B?/F~<T$O%/%i%$%"%s%H$N%M%C%H%o!<%/%"%I%l%9$r?.Mj$5$l$?%[%9%H$H$7$F(B
> $B2r7h$5$;$k$?$a$K%M!<%`%5!<%P%7%9%F%`$rA`:n$7$^$9!#(B
> $B8m$C$?%[%9%HL>$K4p$E$$$F(B
> $BHo32<T$,4V0c$C$?7kO@$r%[%9%HL>$K4p$E$/$$$FF3$/$+!"(B
> $B%[%9%HL>$+$i0z$+$l$kL>A0$K4p$E$$$FF3$-$^$9!#(B
$B8m$C$?%[%9%HL>$rM?$($i$l$k$H!"(B
$B%[%9%HL>$K4p$E$/%k!<%k$b$7$/$O(B
$B%[%9%HL>$+$iF3$+$l$k%"%I%l%9$K4p$E$/%k!<%k$r85$K$7$F!"(B
$BHo32<T$O4V0c$C$?7kO@$rF3$-$^$9!#(B

> .sp
> $BBP=hK!(B: (1) $B%M%C%H%o!<%/$+$i$N(BUNIX$B%Q%9%o!<%I$rMQ$$$?%m%0%$%s$r5v$5$J$$(B
>  (2) $B%=!<%9%k!<%F%#%s%0$rCF$/%M%C%H%o!<%/%=%U%H%&%'%"$r;H$$$^$9!#(B
$B%[%9%HL>$+$i%/%i%$%"%s%H$N%M%C%H%o!<%/%"%I%l%9$r2r7h$G$-$k$3$H$r3NG'$9$k(B
$B%M%C%H%o!<%/%=%U%H%&%'%"$r;HMQ$7$^$9!#(B
# use network software that verifies that the hostname resolves to the
# client network address

> UNIX$B$N%m%0%$%s%W%m%0%i%`$N$h$&$J$$$/$D$+$N%"%W%j%1!<%7%g%s$O!"(B
> $B%/%i%$%"%s%H$N%[%9%HL>$+$i%"%I%l%9$r3d$j=P$7$^$9!#(B
UNIX $B$N(B login $B%W%m%0%i%`$N$h$&$K!"(B
$B%/%i%$%"%s%H$N%[%9%HL>$+$i%/%i%$%"%s%H$N%M%C%H%o!<%/%"%I%l%9$r(B
$B5a$a$kI,MW$,$"$k%"%W%j%1!<%7%g%s$,B8:_$7$^$9!#(B

> $B:#=R$Y$?967b$K2C$($F!"$b$&0l$D$N2DG=@-$,$"$j$^$9!#(B
$B:#=R$Y$?(B 2 $B$D$N967b$K2C$($F!"$b$&0l$D$N2DG=@-$,$"$j$^$9!#(B
# In addition to the previous two attacks, this opens up yet another
# possibility

> .IP "$B%[%9%H%"%I%l%9$N56B$(B Host address spoofing (extra A record)"
> $B?/F~<T$O%/%i%$%"%s%H$N%M%C%H%o!<%/%"%I%l%9$r?.Mj$5$l$?%[%9%H$H$7$F(B
> $B2r7h$5$;$k$?$a$K%M!<%`%5!<%P%7%9%F%`$rA`:n$7$^$9!#(B
# $B%"%I%l%9$H%[%9%H$N4X78$,5U$@$H;W$$$^$9!#(B
$B?/F~<T$O%/%i%$%"%s%H$N%[%9%HL>(B ($B$b$^$?(B) $B?.Mj$5$l$?%"%I%l%9$H$7$F(B
$B2r7h$5$;$k$?$a$K%M!<%`%5!<%P%7%9%F%`$rA`:n$7$^$9!#(B
# An intruder manipulates the name server system so that the client host
# name (also) resolves to a trusted address.

> .SH DIAGNOSTICS
      $B?GCG(B
> $B9=J8%(%i!<$O(Bsyslogd$B$K=P$5$l$^$9!#(B
                       $BJs9p$5$l$^$9!#(B

> .SH FILES
      $B4XO"%U%!%$%k(B
> /etc/skey.access, password control table
                    $B%Q%9%o!<%I%3%s%H%m!<%k%F!<%V%k(B
--
$BKY@nOBM:(B
