From owner-freebsd-security@FreeBSD.ORG  Fri Jul 20 10:19:08 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3867B1065674
	for <freebsd-security@freebsd.org>;
	Fri, 20 Jul 2012 10:19:08 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id EB9088FC16
	for <freebsd-security@freebsd.org>;
	Fri, 20 Jul 2012 10:19:07 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 4368E6425;
	Fri, 20 Jul 2012 12:19:07 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 0CC738159; Fri, 20 Jul 2012 12:19:06 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Zak Blacher <zblacher@sandvine.com>
References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
Date: Fri, 20 Jul 2012 12:19:06 +0200
In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
	(Zak Blacher's message of "Thu, 19 Jul 2012 20:06:36 +0000")
Message-ID: <86fw8md9b9.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: On OPIE and pam
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 10:19:08 -0000

Zak Blacher <zblacher@sandvine.com> writes:
> One of my tasks at work was to remove OPIE and its related libraries
> from our kernel.

We don't have OPIE in the kernel.

> OPIE (One-time Passwords In Everything) was related to a potential
> remote arbitrary code execution bug
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-1938 ) back
> in 2010.

Remote denial of service, *not* remote code execution.

> My question is this: With PAM becoming the standard method for
> user-based authentication, is it still necessary to have OPIE as a
> separate set of libraries, executables, and built into the telnet and
> ftp servers?

OPIE is not compiled into telnetd, and you shouldn't use telnet anyway.

OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM.
However, you shouldn't use ftp for anything that requires authentication
anyway.

> I've written a kernel patch that includes a compilation flag for opie
> support [...]

Once again, we don't have OPIE in the kernel.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no