On OPIE and pam
Zak Blacher
zblacher at sandvine.com
Thu Jul 19 20:06:37 UTC 2012
Hello Everyone,
One of my tasks at work was to remove OPIE and its related libraries from our kernel. OPIE (One-time Passwords In Everything) was related to a potential remote arbitrary code execution bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back in 2010.
We've been looking into this library and have decided that it isn't necessary for our operations, and poses an unnecessary risk and potential attack vector. I've written a kernel patch that includes a compilation flag for opie support which determines whether or not to build the opie executables, and have added guards to a few source files so that they will still build without having the opie libraries.
My question is this: With PAM becoming the standard method for user-based authentication, is it still necessary to have OPIE as a separate set of libraries, executables, and built into the telnet and ftp servers?
Zak Blacher
Software Developer Intern
Sandvine Corporation
www.sandvine.com<http://www.sandvine.com>
More information about the freebsd-security
mailing list