| Summary: | krfb writes uninvitedConnectionPassword to config in plaintext | ||
|---|---|---|---|
| Product: | [Applications] krfb | Reporter: | Bernard Gray <bernard.gray> |
| Component: | general | Assignee: | George Goldberg <grundleborg> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | alexey.min, amichai2, L.Bonnaud |
| Priority: | NOR | ||
| Version First Reported In: | 17.12.3 | ||
| Target Milestone: | --- | ||
| Platform: | Ubuntu | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
This problem still exists in recent krfb versions (17.12). The uninvited password is now stored in ~/.vnc/passwd . passwords are stored in kwallet since.. long ago |
The uninvitedConnectionsPassword is written to ~/.kde/share/config/krfbrc in plaintext Reproducible: Always Steps to Reproduce: 1. In krfb, go to Settings -> Configure Desktop Sharing 2. Check the box "Allow uninvited connections" 3. Enter a password in the "Uninvited connections password" field, and click Apply 4. in a terminal, grep uninvited ~/.kde/share/config/krfbrc Actual Results: Recover your password by reading it directly from the file (convenient!) ;-) Expected Results: The password should be stored in an encrypted form, similar to the [Invitation_N] password= config option ~$ cat ./.kde/share/config/krfbrc [Invitation_0] creation=2014,10,28,10,9,31 expiration=2014,10,28,11,9,31 password=ᅳᄃᄡ↓→│ᅨ [Invitations] invitation_num=1 [MainWindow] State=AAAA/wAAAAD9AAAAAAAAAiYAAAEhAAAABAAAAAQAAAAIAAAACPwAAAAA ToolBarsMovable=Disabled [Security] allowUninvitedConnections=true askOnConnect=false uninvitedConnectionPassword=plaintextPassword!