Re: [oss-security] Re: Yubiserver package ships with pre-filled identities

On 31 Ιαν 2012, at 0:06, Kurt Seifried <kseifried@redhat.com> wrote:

> On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote:
>>
>
>>> Ok I'm not clear on what is going on here, is there a link to the
>>> bug
>>> entry regarding this issue, or can someone clarify it?
>>>
>>
>> Hi,
>> there is no bug entry yet.
>>
>>
>>> 1) are there default accounts shipped with the product that get
>>> activated automatically during install? (it sounds like yes?)
>>>
>>
>> Yes. The database is populated with an example/test account which is
>> activated during install.
>
> Is this account documented/the impact documented?
>

What do you mean?

>>> 2) can someone remotely/locally access these accounts? what are the
>>> credentials for these accounts ("invalid keys"?), can an attacker
>>> access
>>> them?
>>>
>>
>> If someone programs or uses a software emulation for the yubikey can
>> have access to whatever the user of the application uses it for ( the
>> yubiserver). For example if someone uses Pam yubico module with the
>> su
>> or sshd server to provide a two factor authentication scheme he
>> should
>> suffer from this security issue if he hasn't deleted or deactivated
>> the
>> test account. If someone by mistake installs yubiserver and doesn't
>> use
>> him to validate his otp or hmac otp, he won't suffer from this
>> security
>> issue. Someone can only suffer if he uses the server and hasn't
>> deleted
>> or deactivated the test account which is shipped with the server.
>>
>>> 3) what is the privilege level of the accounts?
>>
>> That depends on how someone wants to use the server and the privilege
>> level that he wants to give to it's users through the validation of
>> the
>> otp or hmac otp.
>
> So it would basically be the same as any other standard account
> created
> on the server?
>

Yes. It's just a simple account you could add anytime by yourself.

>> Chris.
>
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)

• This message: [ Message body ]
• Next message: Kurt Seifried: "Re: [oss-security] Re: Yubiserver package ships with pre-filled identities"
• Previous message: Kurt Seifried: "Re: [oss-security] Re: Yubiserver package ships with pre-filled identities"
• In reply to: Kurt Seifried: "Re: [oss-security] Re: Yubiserver package ships with pre-filled identities"
• Next in thread: Kurt Seifried: "Re: [oss-security] Re: Yubiserver package ships with pre-filled identities"
• Reply: Kurt Seifried: "Re: [oss-security] Re: Yubiserver package ships with pre-filled identities"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]