From ed8be72c2997db2df1aac05cab6a9c08d3a1f2cd Mon Sep 17 00:00:00 2001
From: Garrett Wollman <wollman@FreeBSD.org>
Date: Thu, 13 Apr 1995 15:20:35 +0000
Subject: [PATCH] Disallow Kerberos when S/Key is required.  Fixes PR #339.

Submitted by: Paul Traina <pst@Shockwave.com>
---
 usr.bin/login/login.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index c10e0e23f4c..86e8c847fea 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -274,6 +274,17 @@ main(argc, argv)
 
 		if (pwd) {
 #ifdef KERBEROS
+#ifdef SKEY
+			/*
+			 * Do not allow user to type in kerberos password
+			 * over the net (actually, this is ok for encrypted
+			 * links, but we have no way of determining if the
+			 * link is encrypted.
+			 */
+			if (!permit_password) {
+				rval = 1;		/* failed */
+			} else
+#endif
 			rval = klogin(pwd, instance, localhost, p);
 			if (rval != 0 && rootlogin && pwd->pw_uid != 0)
 				rootlogin = 0;