[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] [Qube2] Admin Account

Subject: Re: [cobalt-security] [Qube2] Admin Account
From: Åke Brännström <ake@xxxxxxxxxxx>
Date: Tue, 13 Jun 2000 15:11:28 +0200
Organization: Department of Mathematics

On Sun, 11 Jun 2000, you wrote:

> Anyone familiar with Cobalt knows the default administrative account is named
> admin. Hence, one can focus one's pw attack on the userid admin. Since both
> admin and root share the same password, getting to admin means that root is
> also available. 
[...]
> Seems to me that this is a risk exposure that should not be open? Am I being
> overly cautious?

The only problem with the admin account that I can think of is that is that the
admin password is used to authenticate you when you administer your Qube from
the web. Normally, Apache gives you unlimited tries for the password and
doesn't enforce a time delay between each try. I don't know if this kind of
attack is possible on the Qube, but I would think so. 

Other than this, it doesn't matter if everyone knows the usernames of admin and
root. You should choose a password that is so good that it can't be guessed
instead of messing things up by renaming users. It will only give you a false
sense of security.

Sincerely, 
Ake Brannstrom

Follow-Ups:
- Re: [cobalt-security] [Qube2] Admin Account
  - From: Theodore Jones

References:
- [cobalt-security] [Qube2] Admin Account
  - From: Mike Vanecek

Prev by Date: Re: [cobalt-security] sendmail questions...?
Next by Date: Re: [cobalt-security] [Qube2] Admin Account
Previous by thread: [cobalt-security] [Qube2] Admin Account
Next by thread: Re: [cobalt-security] [Qube2] Admin Account

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index