From owner-freebsd-security@FreeBSD.ORG Fri Jul 27 08:37:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6712106567B for ; Fri, 27 Jul 2012 08:37:09 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 844258FC1F for ; Fri, 27 Jul 2012 08:37:09 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 3B6AA6CDA; Fri, 27 Jul 2012 10:37:02 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 1655B8258; Sun, 22 Jul 2012 13:11:52 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Zak Blacher References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> <86fw8md9b9.fsf@ds4.des.no> <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com> Date: Sun, 22 Jul 2012 13:11:51 +0200 In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com> (Zak Blacher's message of "Fri, 20 Jul 2012 13:56:32 +0000") Message-ID: <86y5mcqcco.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" Subject: Re: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2012 08:37:09 -0000 Zak Blacher writes: > Dag-Erling Sm=C3=B8rgrav writes: > > OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. > usr.bin/telnet/Makefile:13:CFLAGS+=3D -DKLUDGELINEMODE -DUSE_TERMIO -DENV= HACK -DOPIE \ That's in the client (telnet), not the server (telnetd). The vulnerability is in the verification code, which would only be used on the server: % ldd /usr/libexec/telnetd=20 /usr/libexec/telnetd: libutil.so.9 =3D> /lib/libutil.so.9 (0x80085e000) libncurses.so.8 =3D> /lib/libncurses.so.8 (0x800a6f000) libmp.so.7 =3D> /usr/lib/libmp.so.7 (0x800cbc000) libcrypto.so.6 =3D> /lib/libcrypto.so.6 (0x800ebf000) libcrypt.so.5 =3D> /lib/libcrypt.so.5 (0x80125f000) libpam.so.5 =3D> /usr/lib/libpam.so.5 (0x80147f000) libkrb5.so.10 =3D> /usr/lib/libkrb5.so.10 (0x801687000) libhx509.so.10 =3D> /usr/lib/libhx509.so.10 (0x8018f6000) libasn1.so.10 =3D> /usr/lib/libasn1.so.10 (0x801b36000) libroken.so.10 =3D> /usr/lib/libroken.so.10 (0x801db8000) libcom_err.so.5 =3D> /usr/lib/libcom_err.so.5 (0x801fc9000) libc.so.7 =3D> /lib/libc.so.7 (0x8021cb000) See, no libopie, hence no vulnerability. What -DOPIE does for telnet is add support for running opiekey from the escape prompt. As for ftpd, it has OPIE enabled by default in PAM, and it tries PAM before OPIE, so there is no need for built-in OPIE support. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no