Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Jan 2012 15:06:07 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Nanakos Chrysostomos <nanakos@...ed-net.gr>,
        Jonathan Wiltshire <jmw@...ian.org>,
        Gian Piero Carrubba <gpiero@...rf.it>,
        "team@...urity.debian.org" <team@...urity.debian.org>
Subject: Re: Re: Yubiserver package ships with pre-filled identities

On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote:
> 

>> Ok I'm not clear on what is going on here, is there a link to the bug
>> entry regarding this issue, or can someone clarify it?
>>
> 
> Hi,
> there is no bug entry yet.
> 
> 
>> 1) are there default accounts shipped with the product that get
>> activated automatically during install? (it sounds like yes?)
>>
> 
> Yes. The database is populated with an example/test account which is
> activated during install.

Is this account documented/the impact documented?

>> 2) can someone remotely/locally access these accounts? what are the
>> credentials for these accounts ("invalid keys"?), can an attacker access
>> them?
>>
> 
> If someone programs or uses a software emulation for the yubikey can
> have access to whatever the user of the application uses it for ( the
> yubiserver). For example if someone uses Pam yubico module with the su
> or sshd server to provide a two factor authentication scheme he should
> suffer from this security issue if he hasn't deleted or deactivated the
> test account. If someone by mistake installs yubiserver and doesn't use
> him to validate his otp or hmac otp, he won't suffer from this security
> issue. Someone can only suffer if he uses the server and hasn't deleted
> or deactivated the test account which is shipped with the server.
> 
>> 3) what is the privilege level of the accounts?
> 
> That depends on how someone wants to use the server and the privilege
> level that he wants to give to it's users through the validation of the
> otp or hmac otp.

So it would basically be the same as any other standard account created
on the server?

> Chris.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ