Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Jul 2012 20:06:36 +0000
From:      Zak Blacher <zblacher@sandvine.com>
To:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   On OPIE and pam
Message-ID:  <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>

next in thread | raw e-mail | index | archive | help
Hello Everyone,

One of my tasks at work was to remove OPIE and its related libraries from o=
ur kernel. OPIE (One-time Passwords In Everything) was related to a potenti=
al remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/d=
etail?vulnId=3DCVE-2010-1938 ) back in 2010.

We've been looking into this library and have decided that it isn't necessa=
ry for our operations, and poses an unnecessary risk and potential attack v=
ector. I've written a kernel patch that includes a compilation flag for opi=
e support which determines whether or not to build the opie executables, an=
d have added guards to a few source files so that they will still build wit=
hout having the opie libraries.

My question is this: With PAM becoming the standard method for user-based a=
uthentication, is it still necessary to have OPIE as a separate set of libr=
aries, executables, and built into the telnet and ftp servers?

Zak Blacher
Software Developer Intern
Sandvine Corporation
www.sandvine.com<http://www.sandvine.com>;




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75834252EF47DF4B9EF04F0A3C6406FA241C089C>