Date: Thu, 19 Jul 2012 13:54:58 -0700 From: Xin Li <delphij@delphij.net> To: Zak Blacher <zblacher@sandvine.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: On OPIE and pam Message-ID: <50087422.70805@delphij.net> In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Zak, On 07/19/12 13:06, Zak Blacher wrote: > Hello Everyone, > > One of my tasks at work was to remove OPIE and its related > libraries from our kernel. OPIE (One-time Passwords In Everything) > was related to a potential remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) > back in 2010. > > We've been looking into this library and have decided that it > isn't necessary for our operations, and poses an unnecessary risk > and potential attack vector. I've written a kernel patch that > includes a compilation flag for opie support which determines > whether or not to build the opie executables, and have added guards > to a few source files so that they will still build without having > the opie libraries. > > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet > and ftp servers? I think pam_opie[access] still depend on OPIE library. The executables are used for administrative usage, and thus should be kept if OPIE functionality is desirable (or be made as ports). However, the built-in components in telnet and ftp servers, in my opinion, could be removed in favor of the PAM implementation. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQCHQiAAoJEG80Jeu8UPuzScoIAKr/bNBG54KWCVwwCnl5XbuW oRhESzE1sCho2khFRNvbTyVoIkBeM9yZ3KQx46IHetMN4KltZVX9zU5kRE4eHi0/ JQts3SPud4LH6JQlrsoPqX2c8rTGmKHUEkSk6ebkJUWWxgU3a1+eMPbUwQ6uOkNA tzNP1jjttRt/c5oenXMJGeKyIzx0v/p+8siC2E0ztJ5DYYc+xULHLBiYQ8gqtbya JdDf04lFHvqNxTvXDGPllSz+VIqC2okky3yOcMUV4nQxw2KaSUPPq3h//zMj+EaA HEnP3tWMx/d/3tG39Rqzxi6BOS+KJdbkoIsYYEFNgClJUKwBPEB5kpGuiGrSoJI= =vYBH -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50087422.70805>