Hello Everyone, One of my tasks at work was to remove OPIE and its related libraries from our kernel. OPIE (One-time Passwords In Everything) was related to a potential remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back in 2010.
We've been looking into this library and have decided that it isn't necessary for our operations, and poses an unnecessary risk and potential attack vector. I've written a kernel patch that includes a compilation flag for opie support which determines whether or not to build the opie executables, and have added guards to a few source files so that they will still build without having the opie libraries. My question is this: With PAM becoming the standard method for user-based authentication, is it still necessary to have OPIE as a separate set of libraries, executables, and built into the telnet and ftp servers? Zak Blacher Software Developer Intern Sandvine Corporation www.sandvine.com<http://www.sandvine.com> _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
