Date: Fri, 20 Jul 2012 12:19:06 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Zak Blacher <zblacher@sandvine.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: On OPIE and pam Message-ID: <86fw8md9b9.fsf@ds4.des.no> In-Reply-To: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com> (Zak Blacher's message of "Thu, 19 Jul 2012 20:06:36 %2B0000") References: <75834252EF47DF4B9EF04F0A3C6406FA241C089C@wtl-exch-2.sandvine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Zak Blacher <zblacher@sandvine.com> writes: > One of my tasks at work was to remove OPIE and its related libraries > from our kernel. We don't have OPIE in the kernel. > OPIE (One-time Passwords In Everything) was related to a potential > remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-1938 ) back > in 2010. Remote denial of service, *not* remote code execution. > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet and > ftp servers? OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM. However, you shouldn't use ftp for anything that requires authentication anyway. > I've written a kernel patch that includes a compilation flag for opie > support [...] Once again, we don't have OPIE in the kernel. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fw8md9b9.fsf>