Date: Thu, 19 Jul 2012 20:06:36 +0000 From: Zak Blacher <zblacher@sandvine.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: On OPIE and pam Message-ID: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
next in thread | raw e-mail | index | archive | help
Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from o= ur kernel. OPIE (One-time Passwords In Everything) was related to a potenti= al remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/d= etail?vulnId=3DCVE-2010-1938 ) back in 2010. We've been looking into this library and have decided that it isn't necessa= ry for our operations, and poses an unnecessary risk and potential attack v= ector. I've written a kernel patch that includes a compilation flag for opi= e support which determines whether or not to build the opie executables, an= d have added guards to a few source files so that they will still build wit= hout having the opie libraries. My question is this: With PAM becoming the standard method for user-based a= uthentication, is it still necessary to have OPIE as a separate set of libr= aries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com<http://www.sandvine.com>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75834252EF47DF4B9EF04F0A3C6406FA241C089C>