Contributed by jose on from the how-did-we-not-see-this-sooner? dept.
I recently committed changes to the OpenBSD S/Key code that moves us from a single flat file (/etc/skeykeys) to a directory (/etc/skey) where each user has a separate file. Access to /etc/skey is controlled by the "auth" group, similar to how the BSD authentication modules are setup. The actual user records are owned by the user they belong to. This means that the various S/Key utility programs no longer need to be setuid root, they just need to be setgid auth. For example: # ls -ld /etc/skey drwx-wx--T 2 root auth 512 May 16 11:20 /etc/skey/ # ls -l /etc/skey -rw------- 1 millert wheel 42 May 16 20:43 millert To convert from the old-style /etc/skeykeys to the /etc/skey directory structure, simply run "skeyinit -C" and move the old /etc/skeykeys out of the way. E.g. # skeyinit -C /etc/skey has been populated. NOTE: /etc/skeykeys has *not* been removed. It should be removed once you have verified that the new keys work. # mv /etc/skeykeys /etc/skeykeys.OLDIf you haven't ever checked out S/Key, you should. It provides a very secure way for remote authentication with minimal effort on your part.
(Comments are closed)