Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 Jul 2012 13:11:51 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Zak Blacher <zblacher@sandvine.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: On OPIE and pam
Message-ID:  <86y5mcqcco.fsf@ds4.des.no>
In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com> (Zak Blacher's message of "Fri, 20 Jul 2012 13:56:32 %2B0000")
References:  <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> <86fw8md9b9.fsf@ds4.des.no> <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Zak Blacher <zblacher@sandvine.com> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > OPIE is not compiled into telnetd, and you shouldn't use telnet anyway.
> usr.bin/telnet/Makefile:13:CFLAGS+=3D	-DKLUDGELINEMODE -DUSE_TERMIO -DENV=
HACK -DOPIE \

That's in the client (telnet), not the server (telnetd).  The
vulnerability is in the verification code, which would only be used on
the server:

% ldd /usr/libexec/telnetd=20
/usr/libexec/telnetd:
	libutil.so.9 =3D> /lib/libutil.so.9 (0x80085e000)
	libncurses.so.8 =3D> /lib/libncurses.so.8 (0x800a6f000)
	libmp.so.7 =3D> /usr/lib/libmp.so.7 (0x800cbc000)
	libcrypto.so.6 =3D> /lib/libcrypto.so.6 (0x800ebf000)
	libcrypt.so.5 =3D> /lib/libcrypt.so.5 (0x80125f000)
	libpam.so.5 =3D> /usr/lib/libpam.so.5 (0x80147f000)
	libkrb5.so.10 =3D> /usr/lib/libkrb5.so.10 (0x801687000)
	libhx509.so.10 =3D> /usr/lib/libhx509.so.10 (0x8018f6000)
	libasn1.so.10 =3D> /usr/lib/libasn1.so.10 (0x801b36000)
	libroken.so.10 =3D> /usr/lib/libroken.so.10 (0x801db8000)
	libcom_err.so.5 =3D> /usr/lib/libcom_err.so.5 (0x801fc9000)
	libc.so.7 =3D> /lib/libc.so.7 (0x8021cb000)

See, no libopie, hence no vulnerability.

What -DOPIE does for telnet is add support for running opiekey from the
escape prompt.

As for ftpd, it has OPIE enabled by default in PAM, and it tries PAM
before OPIE, so there is no need for built-in OPIE support.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86y5mcqcco.fsf>