On OPIE and pam
Dag-Erling Smørgrav
des at des.no
Fri Jul 20 10:19:08 UTC 2012
Zak Blacher <zblacher at sandvine.com> writes:
> One of my tasks at work was to remove OPIE and its related libraries
> from our kernel.
We don't have OPIE in the kernel.
> OPIE (One-time Passwords In Everything) was related to a potential
> remote arbitrary code execution bug
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back
> in 2010.
Remote denial of service, *not* remote code execution.
> My question is this: With PAM becoming the standard method for
> user-based authentication, is it still necessary to have OPIE as a
> separate set of libraries, executables, and built into the telnet and
> ftp servers?
OPIE is not compiled into telnetd, and you shouldn't use telnet anyway.
OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM.
However, you shouldn't use ftp for anything that requires authentication
anyway.
> I've written a kernel patch that includes a compilation flag for opie
> support [...]
Once again, we don't have OPIE in the kernel.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list