[X2go-dev] Password in plain text!?!?!?

Alexander.Kuchler at pruftechnik.com Alexander.Kuchler at pruftechnik.com
Thu Jul 30 17:15:33 CEST 2009


> Hello Alexander,
> x2goclient need to save password on disk for sending it to ssh via
> SSH_ASKPASS program. Passwords are saved in protected file direct before
> initialization of ssh session and should be deleted immediately after
> initialization of ssh connection.
> You should not see the file with password in your
> C:\Documents\%User%\.x2go\ssh\
> 
> I have tested x2go client right now and all I can see in my \.x2go\ssh\
> folder are several files with XXXXXXXXXXXXXXXXXX.
> 
> If you can reproduce other behaviour of x2goclient on windows, you have
> possible found a bug in windows version of x2goclient. Let me know what
> you do to see file with password and I try to fix this problem. I will
> also try to found it by myself.
> 
I had one file on my own computer
c:\Documents\%User%\.x2go\ssh\askpass.akk844
which contained my password in plain text.

The other files
c:\Documents\%User%\.x2go\ssh\askpass.* contained only XXXXX

The worrying thing was: In the morning I tried to login to the linux 
machine from the windows workstation of my colleage to figure out the 
reason for some other strange X2Go client effects. In the afternoon (in 
the meantime he started a few other x2go sessions) he came to me smiling 
and told me my password because the plain text askpass file of my session 
was still on his computer. And he told me he found files with his own 
password, too. Maybe it's not encrypted when anything is going wrong 
during initialisation of the session. But in my point of view this should 
really never happen.

Yours,
Alexander
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090730/807f28eb/attachment.html>


More information about the x2go-dev mailing list