doesn't the "standard" skey have a file that lets you configure
which users can and can't login with or without skey ?

i would not like your patch to be installed as it is.  i know
when i should use s/key or not, when logging on to my machine
over what ever network.  if it's from international, then, yes,
i use it.  if it's from a machine on the same subnet, and i
`trust' that subnet, then i don't want to use it (hell, i'd
want to use .rhosts in this case).

i also don't like the idea of using the `secure' keyword in
/etc/ttys for this extra purpose..

netbsd comes with a hell of a lot of built-in out-of-the-box
security, and this is great, but this security is configurable.
so should the s/key stuff.

.mrg.