On OPIE and pam

Zak Blacher zblacher at sandvine.com
Fri Jul 20 13:56:34 UTC 2012 

> -----Original Message-----
> From: Dag-Erling Smørgrav [mailto:des at des.no]
> Sent: Friday, July 20, 2012 6:19 AM
> To: Zak Blacher
> Cc: freebsd-security at freebsd.org
> Subject: Re: On OPIE and pam
> 
> Zak Blacher <zblacher at sandvine.com> writes:
> > One of my tasks at work was to remove OPIE and its related libraries
> > from our kernel.
> 
> We don't have OPIE in the kernel.

My mistake, I should have said 'with the kernel'. I'm still fairly new to BSD. I was referring to the packages that ship with the kernel codebase and are built as part of a standard installation. I come from a Linux background where utilities such as ftpd and telnetd are separate packages. I submitted a patch to the ports/sudo Makefile to make compilation with OPIE a tunable option a few months ago, and was trying to differentiate this from that process.

> 
> > OPIE (One-time Passwords In Everything) was related to a potential
> > remote arbitrary code execution bug
> > (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 ) back
> > in 2010.
> 
> Remote denial of service, *not* remote code execution.
> 

From the link:
"... allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd."

The vulnerability seems to suggest the possibility that not only can arbitrary code be executed, but it can be done at a stage prior to user verification. This says to me that local access privileges aren't even necessary for this to be a problem.

> > My question is this: With PAM becoming the standard method for
> > user-based authentication, is it still necessary to have OPIE as a
> > separate set of libraries, executables, and built into the telnet and
> > ftp servers?
> 
> OPIE is not compiled into telnetd, and you shouldn't use telnet anyway.
> 

usr.bin/telnet/Makefile:13:CFLAGS+=	-DKLUDGELINEMODE -DUSE_TERMIO -DENVHACK -DOPIE \

I haven't looked at the sources for telnet, but it's still passed as a compile flag. I'm not sure what the consequences of removing it are, but it still seems to build without errors.

But I agree with you about telnet. It shouldn't be used. We give the same advice to our customers, but some of them insist on using it despite our protestations. I'd rather patch this out just to be safe. 


> OPIE *is* compiled into ftpd, but ftpd also knows how to use PAM.
> However, you shouldn't use ftp for anything that requires
> authentication anyway.
> 

Same with ftp. 

> > I've written a kernel patch that includes a compilation flag for opie
> > support [...]
> 
> Once again, we don't have OPIE in the kernel.
> 
> DES
> --
> Dag-Erling Smørgrav - des at des.no

More information about the freebsd-security mailing list