[X2go-dev] Password in plain text!?!?!?

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Thu Jul 30 17:20:36 CEST 2009


Alexander.Kuchler at pruftechnik.com schrieb:
> 
>> Hello Alexander,
>> x2goclient need to save password on disk for sending it to ssh via
>> SSH_ASKPASS program. Passwords are saved in protected file direct before
>> initialization of ssh session and should be deleted immediately after
>> initialization of ssh connection.
>> You should not see the file with password in your
>> C:\Documents\%User%\.x2go\ssh\
>>
>> I have tested x2go client right now and all I can see in my \.x2go\ssh\
>> folder are several files with XXXXXXXXXXXXXXXXXX.
>>
>> If you can reproduce other behaviour of x2goclient on windows, you have
>> possible found a bug in windows version of x2goclient. Let me know what
>> you do to see file with password and I try to fix this problem. I will
>> also try to found it by myself.
>>
> I had one file on my own computer
> c:\Documents\%User%\.x2go\ssh\askpass.akk844
> which contained my password in plain text.
> 
> The other files
> c:\Documents\%User%\.x2go\ssh\askpass.* contained only XXXXX
> 
> The worrying thing was: In the morning I tried to login to the linux
> machine from the windows workstation of my colleage to figure out the
> reason for some other strange X2Go client effects. In the afternoon (in
> the meantime he started a few other x2go sessions) he came to me smiling
> and told me my password because the plain text askpass file of my
> session was still on his computer. And he told me he found files with
> his own password, too. Maybe it's not encrypted when anything is going
> wrong during initialisation of the session. But in my point of view this
> should really never happen.
> 
> Yours,
> Alexander

Ok. You have right. I will try to find why it happens and fix this bug.

Greetings
-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090730/e90e58e0/attachment.pgp>


More information about the x2go-dev mailing list