[X2go-dev] Password in plain text!?!?!?
Oleksandr Shneyder
oleksandr.shneyder at obviously-nice.de
Fri Jul 31 14:12:09 CEST 2009
Hello list,
I have found the bug described by Alexander.
If x2goclient will terminated during ssh connection, it can not
delete/hide file with password and it is possible to read this password
from file in userhome\.x2go\ssh\. This file is still inaccessible for
users that are not owner of this file, but in case of public access to
machine (especially running windows) it is possible that unauthorized
person read password from hard disk.
To fix this bug I made some changes in x2goclient. Now x2goclient work
as SSH_ASKPASS program. It read password from master application via
protected local socket. To get password client must send to master
application 128-bit cookie which is valid for only one password request.
So, x2goclient not need to save password on disk any more.
You can install x2goclient (qt) 3.0.1-2 for linux from our repository
right now. You can also download Windows version form our site at
evening or right now using this direct link:
http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2-setup.exe
I will include the same changes in gtk,maemo and macos clients next week.
Yours sincerely,
--
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team
email: oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de
--> X2go - everywhere at home
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090731/5bd91c80/attachment.pgp>
More information about the x2go-dev
mailing list