[X2go-dev] Password in plain text!?!?!?
Alexander.Kuchler at pruftechnik.com
Alexander.Kuchler at pruftechnik.com
Thu Jul 30 17:15:33 CEST 2009
> Hello Alexander,
> x2goclient need to save password on disk for sending it to ssh via
> SSH_ASKPASS program. Passwords are saved in protected file direct before
> initialization of ssh session and should be deleted immediately after
> initialization of ssh connection.
> You should not see the file with password in your
> C:\Documents\%User%\.x2go\ssh\
>
> I have tested x2go client right now and all I can see in my \.x2go\ssh\
> folder are several files with XXXXXXXXXXXXXXXXXX.
>
> If you can reproduce other behaviour of x2goclient on windows, you have
> possible found a bug in windows version of x2goclient. Let me know what
> you do to see file with password and I try to fix this problem. I will
> also try to found it by myself.
>
I had one file on my own computer
c:\Documents\%User%\.x2go\ssh\askpass.akk844
which contained my password in plain text.
The other files
c:\Documents\%User%\.x2go\ssh\askpass.* contained only XXXXX
The worrying thing was: In the morning I tried to login to the linux
machine from the windows workstation of my colleage to figure out the
reason for some other strange X2Go client effects. In the afternoon (in
the meantime he started a few other x2go sessions) he came to me smiling
and told me my password because the plain text askpass file of my session
was still on his computer. And he told me he found files with his own
password, too. Maybe it's not encrypted when anything is going wrong
during initialisation of the session. But in my point of view this should
really never happen.
Yours,
Alexander
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090730/807f28eb/attachment.html>
More information about the x2go-dev
mailing list