[X2Go-Dev] Bug#30: http broker client in X2Go Client: setpass task does not require old password
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Sun Sep 16 09:49:29 CEST 2012
Package: x2goclient
Severity: important
Version: 3.99.3.0-prerelease
Hi Alex,
The current implementation of the http session broker code in X2Go
Client has a task called setpass.
From reading the code of the example session broker you sent me some
weeks ago and from looking at the X2Go Client code in
httpbrokerclient.cpp you do not request the user to enter his old
password before changing it to a new password.
From my perspective this is a no-go feature and it should be changed
to something that also PAM and other passwd tools would do. Request
the old passwd, set the new password (twice on the GUI).
Even if there is an authentication happening prior to changing the
password, the old password should be queried again, before a password
change is possible.
With x2gobroker in Git, I I would like to work in this direction and
we will need an adaptation in X2Go Client sooner or later, I guess.
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120916/33b0e9b0/attachment.pgp>
More information about the x2go-dev
mailing list