Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Jan 2012 00:14:10 +0200
From: Nanakos Chrysostomos <nanakos@...ed-net.gr>
To: Kurt Seifried <kseifried@...hat.com>
Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Jonathan Wiltshire <jmw@...ian.org>,
        Gian Piero Carrubba <gpiero@...rf.it>,
        "team@...urity.debian.org" <team@...urity.debian.org>
Subject: Re: Re: Yubiserver package ships with pre-filled identities


On 31 Ιαν 2012, at 0:06, Kurt Seifried <kseifried@...hat.com> wrote:

> On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote:
>>
>
>>> Ok I'm not clear on what is going on here, is there a link to the  
>>> bug
>>> entry regarding this issue, or can someone clarify it?
>>>
>>
>> Hi,
>> there is no bug entry yet.
>>
>>
>>> 1) are there default accounts shipped with the product that get
>>> activated automatically during install? (it sounds like yes?)
>>>
>>
>> Yes. The database is populated with an example/test account which is
>> activated during install.
>
> Is this account documented/the impact documented?
>

What do you mean?



>>> 2) can someone remotely/locally access these accounts? what are the
>>> credentials for these accounts ("invalid keys"?), can an attacker  
>>> access
>>> them?
>>>
>>
>> If someone programs or uses a software emulation for the yubikey can
>> have access to whatever the user of the application uses it for ( the
>> yubiserver). For example if someone uses Pam yubico module with the  
>> su
>> or sshd server to provide a two factor authentication scheme he  
>> should
>> suffer from this security issue if he hasn't deleted or deactivated  
>> the
>> test account. If someone by mistake installs yubiserver and doesn't  
>> use
>> him to validate his otp or hmac otp, he won't suffer from this  
>> security
>> issue. Someone can only suffer if he uses the server and hasn't  
>> deleted
>> or deactivated the test account which is shipped with the server.
>>
>>> 3) what is the privilege level of the accounts?
>>
>> That depends on how someone wants to use the server and the privilege
>> level that he wants to give to it's users through the validation of  
>> the
>> otp or hmac otp.
>
> So it would basically be the same as any other standard account  
> created
> on the server?
>

Yes. It's just a simple account you could add anytime by yourself.



>> Chris.
>
>
> -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ