Bug 386042

Summary: Only one attempt to enter correct password; it will not be asked a second time
Product: [Frameworks and Libraries] frameworks-kio Reporter: Enrico Tagliavini <enrico.tagliavini>
Component: generalAssignee: KIO Bugs <kio-bugs-null>
Status: CONFIRMED ---    
Severity: normal CC: a.samirh78, elvis.angelaccio, frambooisier, jan.rathmann, kapsh, kdelibs-bugs, nate, simonandric5, vkrause
Priority: NOR    
Version: 5.38.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Enrico Tagliavini 2017-10-21 21:38:59 UTC 
When trying to access my nextcloud instance via webdavs URL in dolphin I have only one change to put the correct password in. If I don't put it in right the first time password will never be asked again.

From the nextcloud logs I can see dolphin flooding authentication requests, failing because the password is wrong. Eventually this is detected as a brute force by nextcloud.

Given I have a fairly long password (24+ chars) and I'm a quite terrible write this happens often. Only way to get back in is to reboot the computer so I'm asked again for the password.

Even using webdavs://user:password@host.tld/ works after the failed first attempt.

Steps to reproduce:
1. try to access a Nextcloud (or equivalent) instance via "webdavs://host.tld/nextcloud/remote.php/webdav/"
2. when asked for username and password put the wrong password in
3. observe nothing happens. Page stays empty, not login failure message is shown, password is not asked again
4. attempt again, from another dolphin window or from a file open dialogue in kwrite, or any other application. Nothing will work
Comment 1 Enrico Tagliavini 2017-10-21 21:40:05 UTC 
This is on Fedora 26, Plasma 5.10.5, dolphin 17.04
Comment 2 Elvis Angelaccio 2017-11-17 12:17:15 UTC 
Confirmed. There is a workaround though, run 'kquitapp5 kiod5'. This will kill the kpasswdserver module which is responsible for the authentication.
Comment 3 Jan Rathmann 2021-06-27 07:50:47 UTC 
There is another problem with this behaviour: Even if you entered the correct password, there may be usecases where you want Plasma/KIO to discard the password you have entered for the network share to effectively terminate the connection and require the password to be entered again on further access.

This would not be a problem if there was a GUI option in Dolphin or FileDialog to explicity disconnect/terminate a KIO network connection, but there isn't any, as I'm aware of.

And it seems a bit confusing to me that KIO doesn't respect the settings for Kwallet under Systemsettings -> KDE password storage. Even if I have disabled KWallet completely, passwords for network shares are stored/not asked again until I log out of the session or do 'kquitapp5 kiod5'. It would seem more intuitive to me that if e.g. storing passwords with KWallet is disabled, passwords for network shares would be discarded when the application that accessed the share (e.g. Dolphin) is closed.

Allthough the issue of not asking for wrong passwords again and the issue of not offering an "easy" way to discard entered passwords during the session seem to be related to the same underlying problem (-> how this is currently handled by KIO), I wondered if it would make sense to open a separate report for the latter case?
Comment 4 Flap 2021-09-17 15:59:28 UTC 
(In reply to Elvis Angelaccio from comment #2)
> Confirmed. There is a workaround though, run 'kquitapp5 kiod5'. This will
> kill the kpasswdserver module which is responsible for the authentication.

Thanks for the tip. I also confirm that the bug still exists on OpenSuse Tumbleweed build 20210913.