Date: Tue, 31 Jan 2012 00:14:10 +0200 From: Nanakos Chrysostomos <nanakos@...ed-net.gr> To: Kurt Seifried <kseifried@...hat.com> Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Jonathan Wiltshire <jmw@...ian.org>, Gian Piero Carrubba <gpiero@...rf.it>, "team@...urity.debian.org" <team@...urity.debian.org> Subject: Re: Re: Yubiserver package ships with pre-filled identities On 31 Ιαν 2012, at 0:06, Kurt Seifried <kseifried@...hat.com> wrote: > On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote: >> > >>> Ok I'm not clear on what is going on here, is there a link to the >>> bug >>> entry regarding this issue, or can someone clarify it? >>> >> >> Hi, >> there is no bug entry yet. >> >> >>> 1) are there default accounts shipped with the product that get >>> activated automatically during install? (it sounds like yes?) >>> >> >> Yes. The database is populated with an example/test account which is >> activated during install. > > Is this account documented/the impact documented? > What do you mean? >>> 2) can someone remotely/locally access these accounts? what are the >>> credentials for these accounts ("invalid keys"?), can an attacker >>> access >>> them? >>> >> >> If someone programs or uses a software emulation for the yubikey can >> have access to whatever the user of the application uses it for ( the >> yubiserver). For example if someone uses Pam yubico module with the >> su >> or sshd server to provide a two factor authentication scheme he >> should >> suffer from this security issue if he hasn't deleted or deactivated >> the >> test account. If someone by mistake installs yubiserver and doesn't >> use >> him to validate his otp or hmac otp, he won't suffer from this >> security >> issue. Someone can only suffer if he uses the server and hasn't >> deleted >> or deactivated the test account which is shipped with the server. >> >>> 3) what is the privilege level of the accounts? >> >> That depends on how someone wants to use the server and the privilege >> level that he wants to give to it's users through the validation of >> the >> otp or hmac otp. > > So it would basically be the same as any other standard account > created > on the server? > Yes. It's just a simple account you could add anytime by yourself. >> Chris. > > > -- > Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ