X2Go Bug report logs - #30
http broker client in X2Go Client: setpass task does not require old password

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Sun, 16 Sep 2012 08:03:01 UTC

Severity: important

Found in version 3.99.3.0-prerelease

Full log


🔗 View this message in rfc822 format

X-Loop: git-admin@x2go.org
Subject: Bug#30: http broker client in X2Go Client: setpass task does not require old password
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 30@bugs.x2go.org
Resent-From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: git-admin@x2go.org
Resent-Date: Sun, 16 Sep 2012 08:03:01 +0000
Resent-Message-ID: <handler.30.B.1347781770674@bugs.x2go.org>
Resent-Sender: git-admin@x2go.org
X-X2Go-PR-Message: report 30
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.1347781770674
          (code B); Sun, 16 Sep 2012 08:03:01 +0000
Received: (at submit) by bugs.x2go.org; 16 Sep 2012 07:49:30 +0000
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 7D5FB5DB34
	for <submit@bugs.x2go.org>; Sun, 16 Sep 2012 09:49:30 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 31ABAC05
	for <submit@bugs.x2go.org>; Sun, 16 Sep 2012 09:49:30 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 013AC3BB3F
	for <submit@bugs.x2go.org>; Sun, 16 Sep 2012 09:49:29 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id KRVNPCOG+XBf for <submit@bugs.x2go.org>;
	Sun, 16 Sep 2012 09:49:29 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id CC01F3BC02
	for <submit@bugs.x2go.org>; Sun, 16 Sep 2012 09:49:29 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A76BF3BB3F
	for <submit@bugs.x2go.org>; Sun, 16 Sep 2012 09:49:29 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	grimnir.das-netzwerkteam.de
X-Spam-Flag: NO
X-Spam-Status: No, hits=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=ham version=3.3.1 running as userid=
X-Spam-Level: 
X-Spam-Bayes-Score: 0.0000
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 434CC3BC02; Sun, 16 Sep 2012 09:49:29 +0200 (CEST)
Received: from 29-141-142-46.pool.kielnet.net
 (29-141-142-46.pool.kielnet.net [46.142.141.29]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sun, 16 Sep 2012
 09:49:29 +0200
Message-ID: <20120916094929.12371k8sl5num3d5@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Sun, 16 Sep 2012 09:49:29 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_1hjy0ln4lvux";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: important
Version: 3.99.3.0-prerelease

Hi Alex,

The current implementation of the http session broker code in X2Go  
Client has a task called setpass.

From reading the code of the example session broker you sent me some  
weeks ago and from looking at the X2Go Client code in  
httpbrokerclient.cpp you do not request the user to enter his old  
password before changing it to a new password.

From my perspective this is a no-go feature and it should be changed  
to something that also PAM and other passwd tools would do. Request  
the old passwd, set the new password (twice on the GUI).

Even if there is an authentication happening prior to changing the  
password, the old password should be queried again, before a password  
change is possible.

With x2gobroker in Git, I I would like to work in this direction and  
we will need an adaptation in X2Go Client sooner or later, I guess.

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Apr 21 04:20:26 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.