On OPIE and pam
Dag-Erling Smørgrav
des at des.no
Fri Jul 27 08:37:09 UTC 2012
Zak Blacher <zblacher at sandvine.com> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > OPIE is not compiled into telnetd, and you shouldn't use telnet anyway.
> usr.bin/telnet/Makefile:13:CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENVHACK -DOPIE \
That's in the client (telnet), not the server (telnetd). The
vulnerability is in the verification code, which would only be used on
the server:
% ldd /usr/libexec/telnetd
/usr/libexec/telnetd:
libutil.so.9 => /lib/libutil.so.9 (0x80085e000)
libncurses.so.8 => /lib/libncurses.so.8 (0x800a6f000)
libmp.so.7 => /usr/lib/libmp.so.7 (0x800cbc000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800ebf000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x80125f000)
libpam.so.5 => /usr/lib/libpam.so.5 (0x80147f000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x801687000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8018f6000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801b36000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x801db8000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x801fc9000)
libc.so.7 => /lib/libc.so.7 (0x8021cb000)
See, no libopie, hence no vulnerability.
What -DOPIE does for telnet is add support for running opiekey from the
escape prompt.
As for ftpd, it has OPIE enabled by default in PAM, and it tries PAM
before OPIE, so there is no need for built-in OPIE support.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list