Date: Fri, 20 Jul 2012 13:56:32 +0000 From: Zak Blacher <zblacher@sandvine.com> To: =?utf-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: On OPIE and pam Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C08F8@wtl-exch-2.sandvine.com> In-Reply-To: <86fw8md9b9.fsf@ds4.des.no> References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> <86fw8md9b9.fsf@ds4.des.no>
index | next in thread | previous in thread | raw e-mail
> -----Original Message----- > From: Dag-Erling Smørgrav [mailto:des@des.no] > Sent: Friday, July 20, 2012 6:19 AM > To: Zak Blacher > Cc: freebsd-security@freebsd.org > Subject: Re: On OPIE and pam > > Zak Blacher <zblacher@sandvine.com> writes: > > One of my tasks at work was to remove OPIE and its related libraries > > from our kernel. > > We don't have OPIE in the kernel. My mistake, I should have said 'with the kernel'. I'm still fairly new to BSD. I was referring to the packages that ship with the kernel codebase and are built as part of a standard installation. I come from a Linux background where utilities such as ftpd and telnetd are separate packages. I submitted a patch to the ports/sudo Makefile to make compilation with OPIE a tunable option a few months ago, and was trying to differentiate this from that process. > > > OPIE (One-time Passwords In Everything) was related to a potential > > remote arbitrary code execution bug > > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back > > in 2010. > > Remote denial of service, *not* remote code execution. > From the link: "... allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd." The vulnerability seems to suggest the possibility that not only can arbitrary code be executed, but it can be done at a stage prior to user verification. This says to me that local access privileges aren't even necessary for this to be a problem. > > My question is this: With PAM becoming the standard method for > > user-based authentication, is it still necessary to have OPIE as a > > separate set of libraries, executables, and built into the telnet and > > ftp servers? > > OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. > usr.bin/telnet/Makefile:13:CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENVHACK -DOPIE \ I haven't looked at the sources for telnet, but it's still passed as a compile flag. I'm not sure what the consequences of removing it are, but it still seems to build without errors. But I agree with you about telnet. It shouldn't be used. We give the same advice to our customers, but some of them insist on using it despite our protestations. I'd rather patch this out just to be safe. > OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM. > However, you shouldn't use ftp for anything that requires > authentication anyway. > Same with ftp. > > I've written a kernel patch that includes a compilation flag for opie > > support [...] > > Once again, we don't have OPIE in the kernel. > > DES > -- > Dag-Erling Smørgrav - des@des.nohelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75834252EF47DF4B9EF04F0A3C6406FA241C08F8>