Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Jan 2012 00:14:10 +0200
From: Nanakos Chrysostomos <>
To: Kurt Seifried <>
Cc: "" <>,
        Jonathan Wiltshire <>,
        Gian Piero Carrubba <>,
        "" <>
Subject: Re: Re: Yubiserver package ships with pre-filled identities

On 31 Ιαν 2012, at 0:06, Kurt Seifried <> wrote:

> On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote:
>>> Ok I'm not clear on what is going on here, is there a link to the  
>>> bug
>>> entry regarding this issue, or can someone clarify it?
>> Hi,
>> there is no bug entry yet.
>>> 1) are there default accounts shipped with the product that get
>>> activated automatically during install? (it sounds like yes?)
>> Yes. The database is populated with an example/test account which is
>> activated during install.
> Is this account documented/the impact documented?

What do you mean?

>>> 2) can someone remotely/locally access these accounts? what are the
>>> credentials for these accounts ("invalid keys"?), can an attacker  
>>> access
>>> them?
>> If someone programs or uses a software emulation for the yubikey can
>> have access to whatever the user of the application uses it for ( the
>> yubiserver). For example if someone uses Pam yubico module with the  
>> su
>> or sshd server to provide a two factor authentication scheme he  
>> should
>> suffer from this security issue if he hasn't deleted or deactivated  
>> the
>> test account. If someone by mistake installs yubiserver and doesn't  
>> use
>> him to validate his otp or hmac otp, he won't suffer from this  
>> security
>> issue. Someone can only suffer if he uses the server and hasn't  
>> deleted
>> or deactivated the test account which is shipped with the server.
>>> 3) what is the privilege level of the accounts?
>> That depends on how someone wants to use the server and the privilege
>> level that he wants to give to it's users through the validation of  
>> the
>> otp or hmac otp.
> So it would basically be the same as any other standard account  
> created
> on the server?

Yes. It's just a simple account you could add anytime by yourself.

>> Chris.
> -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ