From owner-freebsd-security@FreeBSD.ORG Thu Jul 19 20:55:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02F2C106566C for ; Thu, 19 Jul 2012 20:55:00 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id D7EBC8FC14 for ; Thu, 19 Jul 2012 20:54:59 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 81808F6E4; Thu, 19 Jul 2012 13:54:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1342731299; bh=N07eKx97cZ1aXCKCtK24t6WDCsIkb9z/U0Xy5YWKx/s=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=PNP1T2S+pNIV6f6nrHL3s4qqyWIv1bnLJNY3/h55hHOF8/CWPVCzwI4EMo0Fc/jiv qG86COgt4vykqUKx7SU9KYrYZ/GNgwz8J4V6iPHFpiBUKXcu6lo0M7e7rMfba+PLR5 9cDGAxPulGubTPrfy/2IxMQOyaQoL6KnLw9l56qw= Message-ID: <50087422.70805@delphij.net> Date: Thu, 19 Jul 2012 13:54:58 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.5) Gecko/20120715 Thunderbird/10.0.5 MIME-Version: 1.0 To: Zak Blacher References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: On OPIE and pam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2012 20:55:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Zak, On 07/19/12 13:06, Zak Blacher wrote: > Hello Everyone, > > One of my tasks at work was to remove OPIE and its related > libraries from our kernel. OPIE (One-time Passwords In Everything) > was related to a potential remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) > back in 2010. > > We've been looking into this library and have decided that it > isn't necessary for our operations, and poses an unnecessary risk > and potential attack vector. I've written a kernel patch that > includes a compilation flag for opie support which determines > whether or not to build the opie executables, and have added guards > to a few source files so that they will still build without having > the opie libraries. > > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet > and ftp servers? I think pam_opie[access] still depend on OPIE library. The executables are used for administrative usage, and thus should be kept if OPIE functionality is desirable (or be made as ports). However, the built-in components in telnet and ftp servers, in my opinion, could be removed in favor of the PAM implementation. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQCHQiAAoJEG80Jeu8UPuzScoIAKr/bNBG54KWCVwwCnl5XbuW oRhESzE1sCho2khFRNvbTyVoIkBeM9yZ3KQx46IHetMN4KltZVX9zU5kRE4eHi0/ JQts3SPud4LH6JQlrsoPqX2c8rTGmKHUEkSk6ebkJUWWxgU3a1+eMPbUwQ6uOkNA tzNP1jjttRt/c5oenXMJGeKyIzx0v/p+8siC2E0ztJ5DYYc+xULHLBiYQ8gqtbya JdDf04lFHvqNxTvXDGPllSz+VIqC2okky3yOcMUV4nQxw2KaSUPPq3h//zMj+EaA HEnP3tWMx/d/3tG39Rqzxi6BOS+KJdbkoIsYYEFNgClJUKwBPEB5kpGuiGrSoJI= =vYBH -----END PGP SIGNATURE-----