Re: Re: Yubiserver package ships with pre-filled identities

[Kurt Seifried <kseifried () redhat com>]

On 01/30/2012 02:32 PM, Nanakos Chrysostomos wrote:
>

> > Ok I'm not clear on what is going on here, is there a link to the bug
> > entry regarding this issue, or can someone clarify it?
>
> Hi,
> there is no bug entry yet.
>
>
> > 1) are there default accounts shipped with the product that get
> > activated automatically during install? (it sounds like yes?)
>
> Yes. The database is populated with an example/test account which is
> activated during install.

Is this account documented/the impact documented?

> > 2) can someone remotely/locally access these accounts? what are the
> > credentials for these accounts ("invalid keys"?), can an attacker access
> > them?
>
> If someone programs or uses a software emulation for the yubikey can
> have access to whatever the user of the application uses it for ( the
> yubiserver). For example if someone uses Pam yubico module with the su
> or sshd server to provide a two factor authentication scheme he should
> suffer from this security issue if he hasn't deleted or deactivated the
> test account. If someone by mistake installs yubiserver and doesn't use
> him to validate his otp or hmac otp, he won't suffer from this security
> issue. Someone can only suffer if he uses the server and hasn't deleted
> or deactivated the test account which is shipped with the server.
>
> > 3) what is the privilege level of the accounts?
>
> That depends on how someone wants to use the server and the privilege
> level that he wants to give to it's users through the validation of the
> otp or hmac otp.

So it would basically be the same as any other standard account created
on the server?

> Chris.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)