Dear group,
today I figured out you are saving the password entered during the startup of the session in plain text in C:\Documents\%User%\.x2go\ssh\. And not even delete it after closing the session..
You can not be serious!?
Especially when knowing you are promoting X2Go for schools etc. where different people might access the same terminals this is not only dangerous but breakneck.
Yours, Alexander
Alexander.Kuchler@pruftechnik.com schreef:
Dear group,
today I figured out you are saving the password entered during the startup of the session in plain text in C:\Documents\%User%\.x2go\ssh\. And not even delete it after closing the session..
You can not be serious!?
Especially when knowing you are promoting X2Go for schools etc. where different people might access the same terminals this is not only dangerous but breakneck.
I have searched for passwords, but I did not found them in /home/username/.x2go/ssh/*. Seems to be a Windows-client specific problem.
With regards, Paul van der Vlis.
Alexander.Kuchler@pruftechnik.com schrieb:
Dear group,
today I figured out you are saving the password entered during the startup of the session in plain text in C:\Documents\%User%\.x2go\ssh\. And not even delete it after closing the session..
You can not be serious!?
Especially when knowing you are promoting X2Go for schools etc. where different people might access the same terminals this is not only dangerous but breakneck.
Yours, Alexander
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
Hello Alexander, x2goclient need to save password on disk for sending it to ssh via SSH_ASKPASS program. Passwords are saved in protected file direct before initialization of ssh session and should be deleted immediately after initialization of ssh connection. You should not see the file with password in your C:\Documents\%User%\.x2go\ssh\
I have tested x2go client right now and all I can see in my \.x2go\ssh
folder are several files with XXXXXXXXXXXXXXXXXX.
If you can reproduce other behaviour of x2goclient on windows, you have possible found a bug in windows version of x2goclient. Let me know what you do to see file with password and I try to fix this problem. I will also try to found it by myself.
Greetings
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hello Alexander, x2goclient need to save password on disk for sending it to ssh via SSH_ASKPASS program. Passwords are saved in protected file direct before initialization of ssh session and should be deleted immediately after initialization of ssh connection. You should not see the file with password in your C:\Documents\%User%\.x2go\ssh\
I have tested x2go client right now and all I can see in my \.x2go\ssh
folder are several files with XXXXXXXXXXXXXXXXXX.If you can reproduce other behaviour of x2goclient on windows, you have possible found a bug in windows version of x2goclient. Let me know what you do to see file with password and I try to fix this problem. I will also try to found it by myself.
I had one file on my own computer c:\Documents\%User%\.x2go\ssh\askpass.akk844 which contained my password in plain text.
The other files c:\Documents\%User%\.x2go\ssh\askpass.* contained only XXXXX
The worrying thing was: In the morning I tried to login to the linux machine from the windows workstation of my colleage to figure out the reason for some other strange X2Go client effects. In the afternoon (in the meantime he started a few other x2go sessions) he came to me smiling and told me my password because the plain text askpass file of my session was still on his computer. And he told me he found files with his own password, too. Maybe it's not encrypted when anything is going wrong during initialisation of the session. But in my point of view this should really never happen.
Yours, Alexander
Alexander.Kuchler@pruftechnik.com schrieb:
Hello Alexander, x2goclient need to save password on disk for sending it to ssh via SSH_ASKPASS program. Passwords are saved in protected file direct before initialization of ssh session and should be deleted immediately after initialization of ssh connection. You should not see the file with password in your C:\Documents\%User%\.x2go\ssh\
I have tested x2go client right now and all I can see in my \.x2go\ssh
folder are several files with XXXXXXXXXXXXXXXXXX.If you can reproduce other behaviour of x2goclient on windows, you have possible found a bug in windows version of x2goclient. Let me know what you do to see file with password and I try to fix this problem. I will also try to found it by myself.
I had one file on my own computer c:\Documents\%User%\.x2go\ssh\askpass.akk844 which contained my password in plain text.
The other files c:\Documents\%User%\.x2go\ssh\askpass.* contained only XXXXX
The worrying thing was: In the morning I tried to login to the linux machine from the windows workstation of my colleage to figure out the reason for some other strange X2Go client effects. In the afternoon (in the meantime he started a few other x2go sessions) he came to me smiling and told me my password because the plain text askpass file of my session was still on his computer. And he told me he found files with his own password, too. Maybe it's not encrypted when anything is going wrong during initialisation of the session. But in my point of view this should really never happen.
Yours, Alexander
Ok. You have right. I will try to find why it happens and fix this bug.
Greetings
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hello list, I have found the bug described by Alexander. If x2goclient will terminated during ssh connection, it can not delete/hide file with password and it is possible to read this password from file in userhome\.x2go\ssh\. This file is still inaccessible for users that are not owner of this file, but in case of public access to machine (especially running windows) it is possible that unauthorized person read password from hard disk.
To fix this bug I made some changes in x2goclient. Now x2goclient work as SSH_ASKPASS program. It read password from master application via protected local socket. To get password client must send to master application 128-bit cookie which is valid for only one password request. So, x2goclient not need to save password on disk any more.
You can install x2goclient (qt) 3.0.1-2 for linux from our repository right now. You can also download Windows version form our site at evening or right now using this direct link: http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2-se...
I will include the same changes in gtk,maemo and macos clients next week.
Yours sincerely,
Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
Hello list, As I have promised, new x2goclien-gtk and x2goclient for maemo are available in our repository. You can also download new x2goclient for mac: http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2.dm...
Greetings,
Alex
Oleksandr Shneyder schrieb:
Hello list, I have found the bug described by Alexander. If x2goclient will terminated during ssh connection, it can not delete/hide file with password and it is possible to read this password from file in userhome\.x2go\ssh\. This file is still inaccessible for users that are not owner of this file, but in case of public access to machine (especially running windows) it is possible that unauthorized person read password from hard disk.
To fix this bug I made some changes in x2goclient. Now x2goclient work as SSH_ASKPASS program. It read password from master application via protected local socket. To get password client must send to master application 128-bit cookie which is valid for only one password request. So, x2goclient not need to save password on disk any more.
You can install x2goclient (qt) 3.0.1-2 for linux from our repository right now. You can also download Windows version form our site at evening or right now using this direct link: http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2-se...
I will include the same changes in gtk,maemo and macos clients next week.
Yours sincerely,
X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Oleksandr Shneyder Dipl. Informatik X2go Core Developer Team
email: oleksandr.shneyder@obviously-nice.de web: www.obviously-nice.de
--> X2go - everywhere@home
-
Alexander.Kuchler@pruftechnik.com -
Oleksandr Shneyder -
Paul van der Vlis