[X2go-dev] Password in plain text!?!?!?

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Tue Aug 4 14:21:48 CEST 2009 

Hello list,
As I have promised, new x2goclien-gtk and x2goclient for maemo are
available in our repository. You can also download new x2goclient for mac:
http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2.dmg.zip

Greetings,

Alex

Oleksandr Shneyder schrieb:
> Hello list,
> I have found the bug described by Alexander.
> If x2goclient will terminated during ssh connection, it can not
> delete/hide file with password and it is possible to read this password
> from file in userhome\.x2go\ssh\. This file is still inaccessible for
> users that are not owner of this file, but in case of public access to
> machine (especially running windows) it is possible that unauthorized
> person read password from hard disk.
> 
> To fix this bug I made some changes in x2goclient. Now x2goclient work
> as SSH_ASKPASS program. It read password from master application via
> protected local socket. To get password client must send to master
> application 128-bit cookie which is valid for only one password request.
> So, x2goclient not need to save password on disk any more.
> 
> You can install x2goclient (qt) 3.0.1-2 for linux from our repository
> right now. You can also download Windows version form our site at
> evening or right now using this direct link:
> http://x2go.obviously-nice.de/deb/pool-lenny/x2goclient/x2goclient-3.01-2-setup.exe
> 
> I will include the same changes in gtk,maemo and macos clients next week.
> 
> Yours sincerely,
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> X2go-dev mailing list
> X2go-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev


-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090804/654fc21e/attachment.pgp>

More information about the x2go-dev mailing list