[X2go-dev] Password in plain text!?!?!?

[Oleksandr Shneyder]

Alexander.Kuchler at pruftechnik.com schrieb:
> 
> Dear group,
> 
> today I figured out you are saving the password entered during the
> startup of the session in plain text in C:\Documents\%User%\.x2go\ssh\.
> And not even delete it after closing the session..
> 
> You can not be serious!?
> 
> Especially when knowing you are promoting X2Go for schools etc. where
> different people might access the same terminals this is not only
> dangerous but breakneck.
> 
> Yours,
> Alexander
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> X2go-dev mailing list
> X2go-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev

Hello Alexander,
x2goclient need to save password on disk for sending it to ssh via
SSH_ASKPASS program. Passwords are saved in protected file direct before
initialization of ssh session and should be deleted immediately after
initialization of ssh connection.
You should not see the file with password in your
C:\Documents\%User%\.x2go\ssh\

I have tested x2go client right now and all I can see in my \.x2go\ssh\
folder are several files with XXXXXXXXXXXXXXXXXX.

If you can reproduce other behaviour of x2goclient on windows, you have
possible found a bug in windows version of x2goclient. Let me know what
you do to see file with password and I try to fix this problem. I will
also try to found it by myself.

Greetings
-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20090730/cfc45c8c/attachment.pgp>