-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Zak,
On 07/19/12 13:06, Zak Blacher wrote: > Hello Everyone, > > One of my tasks at work was to remove OPIE and its related > libraries from our kernel. OPIE (One-time Passwords In Everything) > was related to a potential remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) > back in 2010. > > We've been looking into this library and have decided that it > isn't necessary for our operations, and poses an unnecessary risk > and potential attack vector. I've written a kernel patch that > includes a compilation flag for opie support which determines > whether or not to build the opie executables, and have added guards > to a few source files so that they will still build without having > the opie libraries. > > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet > and ftp servers? I think pam_opie[access] still depend on OPIE library. The executables are used for administrative usage, and thus should be kept if OPIE functionality is desirable (or be made as ports). However, the built-in components in telnet and ftp servers, in my opinion, could be removed in favor of the PAM implementation. Cheers, - -- Xin LI <[email protected]> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQCHQiAAoJEG80Jeu8UPuzScoIAKr/bNBG54KWCVwwCnl5XbuW oRhESzE1sCho2khFRNvbTyVoIkBeM9yZ3KQx46IHetMN4KltZVX9zU5kRE4eHi0/ JQts3SPud4LH6JQlrsoPqX2c8rTGmKHUEkSk6ebkJUWWxgU3a1+eMPbUwQ6uOkNA tzNP1jjttRt/c5oenXMJGeKyIzx0v/p+8siC2E0ztJ5DYYc+xULHLBiYQ8gqtbya JdDf04lFHvqNxTvXDGPllSz+VIqC2okky3yOcMUV4nQxw2KaSUPPq3h//zMj+EaA HEnP3tWMx/d/3tG39Rqzxi6BOS+KJdbkoIsYYEFNgClJUKwBPEB5kpGuiGrSoJI= =vYBH -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
