Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from our kernel. OPIE (One-time Passwords In Everything) was related to a potential remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back in 2010. We've been looking into this library and have decided that it isn't necessary for our operations, and poses an unnecessary risk and potential attack vector. I've written a kernel patch that includes a compilation flag for opie support which determines whether or not to build the opie executables, and have added guards to a few source files so that they will still build without having the opie libraries. My question is this: With PAM becoming the standard method for user-based authentication, is it still necessary to have OPIE as a separate set of libraries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com<http://www.sandvine.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Zak, On 07/19/12 13:06, Zak Blacher wrote:> Hello Everyone, > > One of my tasks at work was to remove OPIE and its related > libraries from our kernel. OPIE (One-time Passwords In Everything) > was related to a potential remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) > back in 2010. > > We've been looking into this library and have decided that it > isn't necessary for our operations, and poses an unnecessary risk > and potential attack vector. I've written a kernel patch that > includes a compilation flag for opie support which determines > whether or not to build the opie executables, and have added guards > to a few source files so that they will still build without having > the opie libraries. > > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet > and ftp servers?I think pam_opie[access] still depend on OPIE library. The executables are used for administrative usage, and thus should be kept if OPIE functionality is desirable (or be made as ports). However, the built-in components in telnet and ftp servers, in my opinion, could be removed in favor of the PAM implementation. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQCHQiAAoJEG80Jeu8UPuzScoIAKr/bNBG54KWCVwwCnl5XbuW oRhESzE1sCho2khFRNvbTyVoIkBeM9yZ3KQx46IHetMN4KltZVX9zU5kRE4eHi0/ JQts3SPud4LH6JQlrsoPqX2c8rTGmKHUEkSk6ebkJUWWxgU3a1+eMPbUwQ6uOkNA tzNP1jjttRt/c5oenXMJGeKyIzx0v/p+8siC2E0ztJ5DYYc+xULHLBiYQ8gqtbya JdDf04lFHvqNxTvXDGPllSz+VIqC2okky3yOcMUV4nQxw2KaSUPPq3h//zMj+EaA HEnP3tWMx/d/3tG39Rqzxi6BOS+KJdbkoIsYYEFNgClJUKwBPEB5kpGuiGrSoJI=vYBH -----END PGP SIGNATURE-----
Zak Blacher <zblacher@sandvine.com> writes:> One of my tasks at work was to remove OPIE and its related libraries > from our kernel.We don't have OPIE in the kernel.> OPIE (One-time Passwords In Everything) was related to a potential > remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back > in 2010.Remote denial of service, *not* remote code execution.> My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet and > ftp servers?OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM. However, you shouldn't use ftp for anything that requires authentication anyway.> I've written a kernel patch that includes a compilation flag for opie > support [...]Once again, we don't have OPIE in the kernel. DES -- Dag-Erling Sm?rgrav - des@des.no