xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Opened 5 months ago

Closed 5 months ago

Last modified 4 months ago

#2973 closed defect (fixed)

DEBUG=auth writes password to logs in cleartext

Reported by: goekce Owned by: goekce
Priority: minor Milestone: 4.1
Component: server Version: trunk
Keywords: Cc:

Description (last modified by goekce)

Steps:

1) activate DEBUG=auth in /etc/default/xpra
2) start proxy sudo systemctl start xpra
3) login using connect.html
4) journalctl -u xpra you will see your password in cleartext

Is this a feature or a bug?

---

Note: To clear all your logs (and not only the archived ones):

1) sudo journalctl --rotate -u xpra # archives all the logs
2) sudo journalctl --vacuum-time=1s -u xpra

Change History (5)

comment:1 Changed 5 months ago by goekce

Description: modified (diff)

comment:2 Changed 5 months ago by Antoine Martin

Owner: changed from Antoine Martin to goekce

What is the exact log message containing the password?

comment:3 Changed 5 months ago by goekce

authenticator[0]=PAM, requires-challenge=True, challenge-sent=True
combined salt(...)
authenticate_check(************, '...') xor('...')=b'...cleartextpassword...'

comment:4 Changed 5 months ago by Antoine Martin

Resolution: fixed
Status: newclosed

This debug line was added in r18695 at the same time as kerberos and gss auth modules.
r28118 removes the password from the output.

comment:5 Changed 4 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2973

Note: See TracTickets for help on using tickets.