Date: Mon, 30 Jan 2012 15:06:07 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Nanakos Chrysostomos <nanakos@...ed-net.gr>, Jonathan Wiltshire <jmw@...ian.org>, Gian Piero Carrubba <gpiero@...rf.it>, "team@...urity.debian.org" <team@...urity.debian.org> Subject: Re: Re: Yubiserver package ships with pre-filled identities On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote: > >> Ok I'm not clear on what is going on here, is there a link to the bug >> entry regarding this issue, or can someone clarify it? >> > > Hi, > there is no bug entry yet. > > >> 1) are there default accounts shipped with the product that get >> activated automatically during install? (it sounds like yes?) >> > > Yes. The database is populated with an example/test account which is > activated during install. Is this account documented/the impact documented? >> 2) can someone remotely/locally access these accounts? what are the >> credentials for these accounts ("invalid keys"?), can an attacker access >> them? >> > > If someone programs or uses a software emulation for the yubikey can > have access to whatever the user of the application uses it for ( the > yubiserver). For example if someone uses Pam yubico module with the su > or sshd server to provide a two factor authentication scheme he should > suffer from this security issue if he hasn't deleted or deactivated the > test account. If someone by mistake installs yubiserver and doesn't use > him to validate his otp or hmac otp, he won't suffer from this security > issue. Someone can only suffer if he uses the server and hasn't deleted > or deactivated the test account which is shipped with the server. > >> 3) what is the privilege level of the accounts? > > That depends on how someone wants to use the server and the privilege > level that he wants to give to it's users through the validation of the > otp or hmac otp. So it would basically be the same as any other standard account created on the server? > Chris. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ