Zak Blacher <[email protected]> writes: > One of my tasks at work was to remove OPIE and its related libraries > from our kernel.
We don't have OPIE in the kernel. > OPIE (One-time Passwords In Everything) was related to a potential > remote arbitrary code execution bug > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back > in 2010. Remote denial of service, *not* remote code execution. > My question is this: With PAM becoming the standard method for > user-based authentication, is it still necessary to have OPIE as a > separate set of libraries, executables, and built into the telnet and > ftp servers? OPIE is not compiled into telnetd, and you shouldn't use telnet anyway. OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM. However, you shouldn't use ftp for anything that requires authentication anyway. > I've written a kernel patch that includes a compilation flag for opie > support [...] Once again, we don't have OPIE in the kernel. DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
