From nobody Fri Jan  6 10:36:02 2023
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NpKW93FWpz2pKqZ;
	Fri,  6 Jan 2023 10:36:05 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NpKW841L1z45NQ;
	Fri,  6 Jan 2023 10:36:04 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=fzERyNDB;
	spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2a as permitted sender) smtp.mailfrom=grarpamp@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-vs1-xe2a.google.com with SMTP id 3so1065509vsq.7;
        Fri, 06 Jan 2023 02:36:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:references:in-reply-to
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=qgM5CNO2fp3bcmZD9soYiAaVuYStM98JbVZUP2mvwSA=;
        b=fzERyNDBxnLTlnc5hOYoZIOAs7wa2ggQXkXVzDLeN++X/S10RDhyOHjYL2PIs/yN5i
         UvwxtGAnlLMdWVBqPaiLDUlNWkSWXZoUe3EnQtmMcPlsv9hg+hNLp119Gh6maWLAmbQa
         trVDjve24dvjW+iBh2f8WSIugrvMDaVGzt7T2IFWQ3ST9ufFGOeaMevJBIugR5ls1Mv0
         uFzIV1EzlkCcfFfSPpFDRej/NWepCvcZ899g5RBLy3bj2zvLg8gzrw4ADuZJ0MpFOfyZ
         /y1hDpuabc0Fs84l7gTL8gUvrXfm/Zy3TTrilT9RxOy+c+RK7gNaBFTJI8ClZxhsusRj
         5B2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:references:in-reply-to
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=qgM5CNO2fp3bcmZD9soYiAaVuYStM98JbVZUP2mvwSA=;
        b=KpwY6Jao9LcgOYBxprCbMmB7a6V2u/v25Ed3QCr8Wp1hgHENZTlsBHl84I4uvlCz+A
         U/t4nxGnfpOUzQ7T0m0YTPC0B02PXrjeCNIfGdJHmtEoMZp6g+BNHR9CB+PWWs/lAzSO
         cnohBhuWuyGjTezyrXfVXTpcknoaSdArTNVhF/UkC0xwZXMkBkVsfvgR8aRpUbKIHwNK
         A9TV82zoXiiVrgXOqk7zXJsx8Ye8uGbo3OpQjcr+4igIbXHi0jRYgTALWDq3wcDEI6ct
         4Nue7wT234mE04RgMmqPQ4GsLBpLtekj/oxEbAEtoUytXW+i9S0tBiC3P4pyWCkbBXIS
         PfqQ==
X-Gm-Message-State: AFqh2kpuzbIItMPA0no/wpflopMusdjhdrTm6XvFm7Jichyz0LXSvNSF
	L1uJfU24dY2Wwd1ucR3LrERoMI6apnkS+jHEoAa1tSCC4pEbHISrxno=
X-Google-Smtp-Source: AMrXdXsL8ojQxGty9QU+7vMpDpPbgtwdwDmF2x5x4kjz0WtBi60NUfMfoCvyLqM6QY7hPAIh0uZfuV92sa6xH0iWW6Q=
X-Received: by 2002:a05:6102:2757:b0:3b3:5fe5:e22 with SMTP id
 p23-20020a056102275700b003b35fe50e22mr6211076vsu.55.1673001363360; Fri, 06
 Jan 2023 02:36:03 -0800 (PST)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Received: by 2002:a05:612c:1190:b0:374:fe0f:8b62 with HTTP; Fri, 6 Jan 2023
 02:36:02 -0800 (PST)
In-Reply-To: <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net>
References: <CP6P284MB19005029976B118AB19D106DCBF49@CP6P284MB1900.BRAP284.PROD.OUTLOOK.COM>
 <Y7SikCXbws9OzgNt@albert.catwhisker.org> <CP6P284MB19006490A396B9B323AC1CF2CBF49@CP6P284MB1900.BRAP284.PROD.OUTLOOK.COM>
 <CAD2Ti283uxj0PoL-N7OdXawK3Qx+m2rt+ne1XnCC6WJSbCEdGA@mail.gmail.com> <44346488-85be-825c-4a42-1de3f701c3f4@delphij.net>
From: grarpamp <grarpamp@gmail.com>
Date: Fri, 6 Jan 2023 05:36:02 -0500
Message-ID: <CAD2Ti2_7z=NZn7j-XQo7dQnzcYerXzqJr6FimrYaLCn_B69B=w@mail.gmail.com>
Subject: Re: cant login after make installworld: pam_opie.so.6 not found
To: freebsd-security@freebsd.org
Cc: freebsd-current@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Result: default: False [-3.39 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	NEURAL_HAM_SHORT(-0.39)[-0.387];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-current@freebsd.org];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2a:from];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	FREEMAIL_FROM(0.00)[gmail.com];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_NONE(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-Rspamd-Queue-Id: 4NpKW841L1z45NQ
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

On 1/6/23, Xin Li <delphij@delphij.net> wrote:
> Security team has discussed this a decade ago.  See
> https://www.miknet.net/security/skey-dungeon-attack/
> for technical details.

That would mean that FreeBSD knowingly left users exploitable without
doing even the "easy fix" in that article to the opie code for over a decade.
And further left opie vulnerable and present since the commit in all RELENG,
STABLE, and handbook. And did not issue a SA on it since the commit, nor
ever since the article. If attempting to claim security as reason to delete,
then FreeBSD might appear to be faulty of this. Which would present good
opportunity to consider any potential improvements to that process too.

> And this could have been avoided if user have followed source upgrade

Lockout avoided... yes maybe if users wanted to quit their opie forever
at that moment, but if not, then opie code module hasn't yet been
moved to ports for anyone to use and or update as they wish.
The nature of port security in every unix OS is 3rd-party and un-dedicated,
so that wouldn't be reason not to port such things either.

Onward :)