From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:06:37 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32113106564A for ; Thu, 19 Jul 2012 20:06:37 +0000 (UTC) (envelope-from zblacher@sandvine.com) Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) by mx1.freebsd.org (Postfix) with ESMTP id CE1748FC0C for ; Thu, 19 Jul 2012 20:06:36 +0000 (UTC) Received: from WTL-EXCH-2.sandvine.com ([fe80::8959:ede3:2dbe:c1b]) by Jer-exch-2.sandvine.com ([fe80::196e:f415:90d9:605f%14]) with mapi id 14.01.0339.001; Thu, 19 Jul 2012 16:06:36 -0400 From: Zak Blacher To: "freebsd-security@freebsd.org" Thread-Topic: On OPIE and pam Thread-Index: AQHNZeoA7oBcdTLuf0iBDaJ6PldD8Q== Date: Thu, 19 Jul 2012 20:06:36 +0000 Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.200.58] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 20:06:37 -0000 Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from o= ur kernel. OPIE (One-time Passwords In Everything) was related to a potenti= al remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/d= etail?vulnId=3DCVE-2010-1938 ) back in 2010. We've been looking into this library and have decided that it isn't necessa= ry for our operations, and poses an unnecessary risk and potential attack v= ector. I've written a kernel patch that includes a compilation flag for opi= e support which determines whether or not to build the opie executables, an= d have added guards to a few source files so that they will still build wit= hout having the opie libraries. My question is this: With PAM becoming the standard method for user-based a= uthentication, is it still necessary to have OPIE as a separate set of libr= aries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:55:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02F2C106566C for ; Thu, 19 Jul 2012 20:55:00 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id D7EBC8FC14 for ; Thu, 19 Jul 2012 20:54:59 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 81808F6E4; Thu, 19 Jul 2012 13:54:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1342731299; bh=N07eKx97cZ1aXCKCtK24t6WDCsIkb9z/U0Xy5YWKx/s=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=PNP1T2S+pNIV6f6nrHL3s4qqyWIv1bnLJNY3/h55hHOF8/CWPVCzwI4EMo0Fc/jiv qG86COgt4vykqUKx7SU9KYrYZ/GNgwz8J4V6iPHFpiBUKXcu6lo0M7e7rMfba+PLR5 9cDGAxPulGubTPrfy/2IxMQOyaQoL6KnLw9l56qw= Message-ID: <50087422.70805@delphij.net> Date: Thu, 19 Jul 2012 13:54:58 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.5) Gecko/20120715 Thunderbird/10.0.5 MIME-Version: 1.0 To: Zak Blacher References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 20:55:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Zak, On 07/19/12 13:06, Zak Blacher wrote: > Hello Everyone, > > One of my tasks at work was to remove OPIE and its related > libraries from our kernel. OPIE (One-time Passwords In Everything) > was related to a potential remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) > back in 2010. > > We've been looking into this library and have decided that it > isn't necessary for our operations, and poses an unnecessary risk > and potential attack vector. I've written a kernel patch that > includes a compilation flag for opie support which determines > whether or not to build the opie executables, and have added guards > to a few source files so that they will still build without having > the opie libraries. > > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet > and ftp servers? I think pam_opie[access] still depend on OPIE library. The executables are used for administrative usage, and thus should be kept if OPIE functionality is desirable (or be made as ports). However, the built-in components in telnet and ftp servers, in my opinion, could be removed in favor of the PAM implementation. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQCHQiAAoJEG80Jeu8UPuzScoIAKr/bNBG54KWCVwwCnl5XbuW oRhESzE1sCho2khFRNvbTyVoIkBeM9yZ3KQx46IHetMN4KltZVX9zU5kRE4eHi0/ JQts3SPud4LH6JQlrsoPqX2c8rTGmKHUEkSk6ebkJUWWxgU3a1+eMPbUwQ6uOkNA tzNP1jjttRt/c5oenXMJGeKyIzx0v/p+8siC2E0ztJ5DYYc+xULHLBiYQ8gqtbya JdDf04lFHvqNxTvXDGPllSz+VIqC2okky3yOcMUV4nQxw2KaSUPPq3h//zMj+EaA HEnP3tWMx/d/3tG39Rqzxi6BOS+KJdbkoIsYYEFNgClJUKwBPEB5kpGuiGrSoJI= =vYBH -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 20 10:19:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3867B1065674 for ; Fri, 20 Jul 2012 10:19:08 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id EB9088FC16 for ; Fri, 20 Jul 2012 10:19:07 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 4368E6425; Fri, 20 Jul 2012 12:19:07 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 0CC738159; Fri, 20 Jul 2012 12:19:06 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Zak Blacher References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> Date: Fri, 20 Jul 2012 12:19:06 +0200 In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> (Zak Blacher's message of "Thu, 19 Jul 2012 20:06:36 +0000") Message-ID: <86fw8md9b9.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" Subject: Re: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2012 10:19:08 -0000 Zak Blacher writes: > One of my tasks at work was to remove OPIE and its related libraries > from our kernel. We don't have OPIE in the kernel. > OPIE (One-time Passwords In Everything) was related to a potential > remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-1938 ) back > in 2010. Remote denial of service, *not* remote code execution. > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet and > ftp servers? OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM. However, you shouldn't use ftp for anything that requires authentication anyway. > I've written a kernel patch that includes a compilation flag for opie > support [...] Once again, we don't have OPIE in the kernel. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Jul 20 13:56:34 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C42B71065674 for ; Fri, 20 Jul 2012 13:56:34 +0000 (UTC) (envelope-from zblacher@sandvine.com) Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) by mx1.freebsd.org (Postfix) with ESMTP id 254198FC0C for ; Fri, 20 Jul 2012 13:56:34 +0000 (UTC) Received: from WTL-EXCH-2.sandvine.com ([fe80::8959:ede3:2dbe:c1b]) by Jer-exch-2.sandvine.com ([fe80::196e:f415:90d9:605f%14]) with mapi id 14.01.0339.001; Fri, 20 Jul 2012 09:56:33 -0400 From: Zak Blacher To: =?utf-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= Thread-Topic: On OPIE and pam Thread-Index: AQHNZeoA7oBcdTLuf0iBDaJ6PldD8Zcx9mJQgAAwK1A= Date: Fri, 20 Jul 2012 13:56:32 +0000 Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com> References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> <86fw8md9b9.fsf@ds4.des.no> In-Reply-To: <86fw8md9b9.fsf@ds4.des.no> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.200.58] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "freebsd-security@freebsd.org" Subject: RE: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2012 13:56:34 -0000 PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBEYWctRXJsaW5nIFNtw7hyZ3Jh diBbbWFpbHRvOmRlc0BkZXMubm9dDQo+IFNlbnQ6IEZyaWRheSwgSnVseSAyMCwgMjAxMiA2OjE5 IEFNDQo+IFRvOiBaYWsgQmxhY2hlcg0KPiBDYzogZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9y Zw0KPiBTdWJqZWN0OiBSZTogT24gT1BJRSBhbmQgcGFtDQo+IA0KPiBaYWsgQmxhY2hlciA8emJs YWNoZXJAc2FuZHZpbmUuY29tPiB3cml0ZXM6DQo+ID4gT25lIG9mIG15IHRhc2tzIGF0IHdvcmsg d2FzIHRvIHJlbW92ZSBPUElFIGFuZCBpdHMgcmVsYXRlZCBsaWJyYXJpZXMNCj4gPiBmcm9tIG91 ciBrZXJuZWwuDQo+IA0KPiBXZSBkb24ndCBoYXZlIE9QSUUgaW4gdGhlIGtlcm5lbC4NCg0KTXkg bWlzdGFrZSwgSSBzaG91bGQgaGF2ZSBzYWlkICd3aXRoIHRoZSBrZXJuZWwnLiBJJ20gc3RpbGwg ZmFpcmx5IG5ldyB0byBCU0QuIEkgd2FzIHJlZmVycmluZyB0byB0aGUgcGFja2FnZXMgdGhhdCBz aGlwIHdpdGggdGhlIGtlcm5lbCBjb2RlYmFzZSBhbmQgYXJlIGJ1aWx0IGFzIHBhcnQgb2YgYSBz dGFuZGFyZCBpbnN0YWxsYXRpb24uIEkgY29tZSBmcm9tIGEgTGludXggYmFja2dyb3VuZCB3aGVy ZSB1dGlsaXRpZXMgc3VjaCBhcyBmdHBkIGFuZCB0ZWxuZXRkIGFyZSBzZXBhcmF0ZSBwYWNrYWdl cy4gSSBzdWJtaXR0ZWQgYSBwYXRjaCB0byB0aGUgcG9ydHMvc3VkbyBNYWtlZmlsZSB0byBtYWtl IGNvbXBpbGF0aW9uIHdpdGggT1BJRSBhIHR1bmFibGUgb3B0aW9uIGEgZmV3IG1vbnRocyBhZ28s IGFuZCB3YXMgdHJ5aW5nIHRvIGRpZmZlcmVudGlhdGUgdGhpcyBmcm9tIHRoYXQgcHJvY2Vzcy4N Cg0KPiANCj4gPiBPUElFIChPbmUtdGltZSBQYXNzd29yZHMgSW4gRXZlcnl0aGluZykgd2FzIHJl bGF0ZWQgdG8gYSBwb3RlbnRpYWwNCj4gPiByZW1vdGUgYXJiaXRyYXJ5IGNvZGUgZXhlY3V0aW9u IGJ1Zw0KPiA+IChodHRwOi8vd2ViLm52ZC5uaXN0Lmdvdi92aWV3L3Z1bG4vZGV0YWlsP3Z1bG5J ZD1DVkUtMjAxMC0xOTM4ICkgYmFjaw0KPiA+IGluIDIwMTAuDQo+IA0KPiBSZW1vdGUgZGVuaWFs IG9mIHNlcnZpY2UsICpub3QqIHJlbW90ZSBjb2RlIGV4ZWN1dGlvbi4NCj4gDQoNCkZyb20gdGhl IGxpbms6DQoiLi4uIGFsbG93cyByZW1vdGUgYXR0YWNrZXJzIHRvIGNhdXNlIGEgZGVuaWFsIG9m IHNlcnZpY2UgKGRhZW1vbiBjcmFzaCkgb3IgcG9zc2libHkgZXhlY3V0ZSBhcmJpdHJhcnkgY29k ZSB2aWEgYSBsb25nIHVzZXJuYW1lLCBhcyBkZW1vbnN0cmF0ZWQgYnkgYSBsb25nIFVTRVIgY29t bWFuZCB0byB0aGUgRnJlZUJTRCA4LjAgZnRwZC4iDQoNClRoZSB2dWxuZXJhYmlsaXR5IHNlZW1z IHRvIHN1Z2dlc3QgdGhlIHBvc3NpYmlsaXR5IHRoYXQgbm90IG9ubHkgY2FuIGFyYml0cmFyeSBj b2RlIGJlIGV4ZWN1dGVkLCBidXQgaXQgY2FuIGJlIGRvbmUgYXQgYSBzdGFnZSBwcmlvciB0byB1 c2VyIHZlcmlmaWNhdGlvbi4gVGhpcyBzYXlzIHRvIG1lIHRoYXQgbG9jYWwgYWNjZXNzIHByaXZp bGVnZXMgYXJlbid0IGV2ZW4gbmVjZXNzYXJ5IGZvciB0aGlzIHRvIGJlIGEgcHJvYmxlbS4NCg0K PiA+IE15IHF1ZXN0aW9uIGlzIHRoaXM6IFdpdGggUEFNIGJlY29taW5nIHRoZSBzdGFuZGFyZCBt ZXRob2QgZm9yDQo+ID4gdXNlci1iYXNlZCBhdXRoZW50aWNhdGlvbiwgaXMgaXQgc3RpbGwgbmVj ZXNzYXJ5IHRvIGhhdmUgT1BJRSBhcyBhDQo+ID4gc2VwYXJhdGUgc2V0IG9mIGxpYnJhcmllcywg ZXhlY3V0YWJsZXMsIGFuZCBidWlsdCBpbnRvIHRoZSB0ZWxuZXQgYW5kDQo+ID4gZnRwIHNlcnZl cnM/DQo+IA0KPiBPUElFIGlzIG5vdCBjb21waWxlZCBpbnRvIHRlbG5ldGQsIGFuZCB5b3Ugc2hv dWxkbid0IHVzZSB0ZWxuZXQgYW55d2F5Lg0KPiANCg0KdXNyLmJpbi90ZWxuZXQvTWFrZWZpbGU6 MTM6Q0ZMQUdTKz0JLURLTFVER0VMSU5FTU9ERSAtRFVTRV9URVJNSU8gLURFTlZIQUNLIC1ET1BJ RSBcDQoNCkkgaGF2ZW4ndCBsb29rZWQgYXQgdGhlIHNvdXJjZXMgZm9yIHRlbG5ldCwgYnV0IGl0 J3Mgc3RpbGwgcGFzc2VkIGFzIGEgY29tcGlsZSBmbGFnLiBJJ20gbm90IHN1cmUgd2hhdCB0aGUg Y29uc2VxdWVuY2VzIG9mIHJlbW92aW5nIGl0IGFyZSwgYnV0IGl0IHN0aWxsIHNlZW1zIHRvIGJ1 aWxkIHdpdGhvdXQgZXJyb3JzLg0KDQpCdXQgSSBhZ3JlZSB3aXRoIHlvdSBhYm91dCB0ZWxuZXQu IEl0IHNob3VsZG4ndCBiZSB1c2VkLiBXZSBnaXZlIHRoZSBzYW1lIGFkdmljZSB0byBvdXIgY3Vz dG9tZXJzLCBidXQgc29tZSBvZiB0aGVtIGluc2lzdCBvbiB1c2luZyBpdCBkZXNwaXRlIG91ciBw cm90ZXN0YXRpb25zLiBJJ2QgcmF0aGVyIHBhdGNoIHRoaXMgb3V0IGp1c3QgdG8gYmUgc2FmZS4g DQoNCg0KPiBPUElFICppcyogY29tcGlsZWQgaW50byBmdHBkLCBidXQgZnRwZCBhbHNvIGtub3dz IGhvdyB0byB1c2UgUEFNLg0KPiBIb3dldmVyLCB5b3Ugc2hvdWxkbid0IHVzZSBmdHAgZm9yIGFu eXRoaW5nIHRoYXQgcmVxdWlyZXMNCj4gYXV0aGVudGljYXRpb24gYW55d2F5Lg0KPiANCg0KU2Ft ZSB3aXRoIGZ0cC4gDQoNCj4gPiBJJ3ZlIHdyaXR0ZW4gYSBrZXJuZWwgcGF0Y2ggdGhhdCBpbmNs dWRlcyBhIGNvbXBpbGF0aW9uIGZsYWcgZm9yIG9waWUNCj4gPiBzdXBwb3J0IFsuLi5dDQo+IA0K PiBPbmNlIGFnYWluLCB3ZSBkb24ndCBoYXZlIE9QSUUgaW4gdGhlIGtlcm5lbC4NCj4gDQo+IERF Uw0KPiAtLQ0KPiBEYWctRXJsaW5nIFNtw7hyZ3JhdiAtIGRlc0BkZXMubm8NCg==