From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:06:37 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32113106564A for ; Thu, 19 Jul 2012 20:06:37 +0000 (UTC) (envelope-from zblacher@sandvine.com) Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) by mx1.freebsd.org (Postfix) with ESMTP id CE1748FC0C for ; Thu, 19 Jul 2012 20:06:36 +0000 (UTC) Received: from WTL-EXCH-2.sandvine.com ([fe80::8959:ede3:2dbe:c1b]) by Jer-exch-2.sandvine.com ([fe80::196e:f415:90d9:605f%14]) with mapi id 14.01.0339.001; Thu, 19 Jul 2012 16:06:36 -0400 From: Zak Blacher To: "freebsd-security@freebsd.org" Thread-Topic: On OPIE and pam Thread-Index: AQHNZeoA7oBcdTLuf0iBDaJ6PldD8Q== Date: Thu, 19 Jul 2012 20:06:36 +0000 Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.200.58] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 20:06:37 -0000 Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from o= ur kernel. OPIE (One-time Passwords In Everything) was related to a potenti= al remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/d= etail?vulnId=3DCVE-2010-1938 ) back in 2010. We've been looking into this library and have decided that it isn't necessa= ry for our operations, and poses an unnecessary risk and potential attack v= ector. I've written a kernel patch that includes a compilation flag for opi= e support which determines whether or not to build the opie executables, an= d have added guards to a few source files so that they will still build wit= hout having the opie libraries. My question is this: With PAM becoming the standard method for user-based a= uthentication, is it still necessary to have OPIE as a separate set of libr= aries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com