Bug 340415 - krfb writes uninvitedConnectionPassword to config in plaintext
Summary: krfb writes uninvitedConnectionPassword to config in plaintext
Status: RESOLVED FIXED
Alias: None
Product: krfb
Classification: Applications
Component: general (show other bugs)
Version: 17.12.3
Platform: Ubuntu Linux
: NOR major
Target Milestone: ---
Assignee: George Goldberg
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-27 23:41 UTC by Bernard Gray
Modified: 2020-08-26 15:56 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Gray 2014-10-27 23:41:45 UTC 
The uninvitedConnectionsPassword is written to ~/.kde/share/config/krfbrc in plaintext

Reproducible: Always

Steps to Reproduce:
1. In krfb, go to Settings -> Configure Desktop Sharing
2. Check the box "Allow uninvited connections"
3. Enter a password in the "Uninvited connections password" field, and click Apply
4. in a terminal, grep uninvited ~/.kde/share/config/krfbrc


Actual Results:  
Recover your password by reading it directly from the file (convenient!) ;-)

Expected Results:  
The password should be stored in an encrypted form, similar to the [Invitation_N] password= config option

~$ cat ./.kde/share/config/krfbrc
[Invitation_0]                                                                  
creation=2014,10,28,10,9,31                                                     
expiration=2014,10,28,11,9,31                                                   
password=ᅳᄃᄡ↓￲→│ᅨ                                                               
                                                                                
[Invitations]                                                                   
invitation_num=1                                                                
                                                                                
[MainWindow]                                                                    
State=AAAA/wAAAAD9AAAAAAAAAiYAAAEhAAAABAAAAAQAAAAIAAAACPwAAAAA                  
ToolBarsMovable=Disabled                                                        

[Security]
allowUninvitedConnections=true
askOnConnect=false
uninvitedConnectionPassword=plaintextPassword!
Comment 1 Laurent Bonnaud 2018-05-12 12:12:57 UTC 
This problem still exists in recent krfb versions (17.12).  The uninvited password is now stored in ~/.vnc/passwd .
Comment 2 Alexey Min 2020-08-26 15:56:27 UTC 
passwords are stored in kwallet since.. long ago