Bug 18535

Summary: No way to remove S/Key entries from /etc/skeykeys
Product: Base System Reporter: Leo Bicknell <bicknell>
Component: binAssignee: Ceri Davies <ceri>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-STABLE   
Hardware: Any   
OS: Any   

Description Leo Bicknell 2000-05-13 20:50:00 UTC 
	When S/Key authentication is enabled, a user can run keyinit to
generate keys in /etc/skeykeys.  That user can then use unsecured channels
to access the host with one time passwords.  When the user no longer wants
S/Key access though there is no easy way to remove the S/Key passwords.

	Consider a user who only uses S/Key when on a trip at unsecured
terminals, and the rest of the time uses ssh or kerberized telnet.  Upon
return the user would like to clear all S/Key entries, so there is no
possbility of someone being able to log in with S/Key, even if they have
the users secret password.

	This could also be useful if the users secret password was compromised.

	The only known way to clear the entries is to continue to log on
until all the keys are used up.

Fix: 

I suggest a command such as "keyclear" that removes the user's
S/Key entry from /etc/skeykeys.
How-To-Repeat: 
	Configure S/Key. :-)
Comment 1 Jens Schweikhardt freebsd_committer freebsd_triage 2002-08-13 22:06:54 UTC 
State Changed
From-To: open->feedback

Is a recent skey installation still not able to do this?
Comment 2 Ceri Davies freebsd_committer freebsd_triage 2003-06-08 19:00:52 UTC 
State Changed
From-To: feedback->closed

Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates.
Comment 3 Ceri Davies freebsd_committer freebsd_triage 2003-06-08 19:00:52 UTC 
Responsible Changed
From-To: freebsd-bugs->ceri

Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates.