Date: Thu, 19 Jul 2012 20:06:36 +0000 From: Zak Blacher <zblacher@sandvine.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: On OPIE and pam Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
index | next in thread | raw e-mail
Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from our kernel. OPIE (One-time Passwords In Everything) was related to a potential remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back in 2010. We've been looking into this library and have decided that it isn't necessary for our operations, and poses an unnecessary risk and potential attack vector. I've written a kernel patch that includes a compilation flag for opie support which determines whether or not to build the opie executables, and have added guards to a few source files so that they will still build without having the opie libraries. My question is this: With PAM becoming the standard method for user-based authentication, is it still necessary to have OPIE as a separate set of libraries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com<http://www.sandvine.com>;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75834252EF47DF4B9EF04F0A3C6406FA241C089C>