Bug#801757: Pinentry displays password while typing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 After finding the setting that is the real source of the problem, I tracked that file down. I took it very long ago from a existing debian system and tweaked the parameter about gtk-recent-files-enabled and one or the other. Unfortunately the change in pinentry that caused the problem was unseen. As I expect that the change will be kept, I propose a warning in NEWS file about it so admins are aware of maybe upcoming problems. Other solution would, of course, be to revert that change. Regards Klaus Ps. Forgotten Cc to bts - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus EthgenFingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQGcBAEBCgAGBQJWIMlnAAoJEKZ8CrGAGfasByEMAJYKiSoerQFJ26Ee3sKfBWGK dHp1xMvyCszR/42AlyPqq+B+bNAEz0Puthfi1RyG0QDTTaYUFQ2X5Zw8k8ZIkFE8 +Kc/qPMIBLWQnH+q3EaOdF1350/Wb+Rq9UoANBC/0MpXFeGL1TR5/zyteB54du35 tWQc3NIQmbBzMIWYxqsxnCotqi5NjotZyIY/5v0GgvQTE1NoFXz7zodfBaBzCjDR vAW4DkKhGv9rTUsiGJ/Xg3RB64vTsGNxaQi13uYLsa652swLHrLQFgLJ1D0ZTHq1 We5a7iIZRPG/WUcAVEkq3gRDZbuJ2BF0ji107hKpVIGRW/nf8YVtxtDZ9dfzicS+ SIEyJsU8VcuuTxPU1Lj1BJfOCQsSok1iO83PXca0RzTDfvjfpaUGigA2/PWmTV+C th1yC5aYGap+B0kk1/aZMg9Ut1dWueIAZKXdkoyVEm4oGXUaIsaW7knMFaJZEdj3 Wt+3frzrGFBl6eugtw8CFC6XJyzRZJzX7yufpSDEZQ== =7QX3 -END PGP SIGNATURE-
Bug#801757: Pinentry displays password while typing
Hi, Daniel Kahn Gillmor wrote: > > In newest version, pinentry is displaying password when typing. (It is > > displaying the last letter but a observer can easily read the password.) > > i'm not seeing this behavior at all. I'm using pinentry-gtk2 0.9.6-2, > and libgtk2.0-0 2.24.28-1, just like you are. The password entry field > i see is just dots, no characters. JFTR: I can't reproduce it either, running pinentry-gtk-2 on Sid (same versions as above) amd64 Xen VM via SSH X forwarding to a Jessie amd64 box. > To start with, can you reproduce it from the command line, by invoking > "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet > you", type "GETPIN" and hit enter. Thanks for that howto! Tried to figure that out myself, but didn't find the proper documentation. (Didn't look for long either, though.) Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#801757: Pinentry displays password while typing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor: > On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote: > > Package: pinentry-gtk2 > > Version: 0.9.6-2 > > > In newest version, pinentry is displaying password when typing. (It is > > displaying the last letter but a observer can easily read the password.) > > i'm not seeing this behavior at all. I'm using pinentry-gtk2 0.9.6-2, > and libgtk2.0-0 2.24.28-1, just like you are. The password entry field > i see is just dots, no characters. > > Could you try to reproduce it simply and help me to reproduce it? > > To start with, can you reproduce it from the command line, by invoking > "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet > you", type "GETPIN" and hit enter. > > Does the prompting still show the text for you? Yes, it does. > > Please revert that recent change back to the secure way of just > > displaying dots. > > I'm unaware of such a change, please help me track it down! :) > > the main recent change is that pinentry now relies on the underlying > toolkit's password-entry widget. is it possible that you have some > unusual settings for your gtk.Entry widgets in general when they're in > password mode? > > can you try it from a new/clean user account on your machine? can you > try it from another machine with the same version installed? Yes, the same. I created a completely fresh user and seen the same result. And I have the same on all of my machines that run debian sid. (I have no desktop not running sid but the problem just occurred recently.) And I heard from others that they also experienced that problem. Maybe that gtk.Entry stuff is not secure to use. I am not aware what exactly the recent change did. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus EthgenFingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQGcBAEBCgAGBQJWILXXAAoJEKZ8CrGAGfasM+AL/2LsHpD6Q7U3l/rGwwnUWNWA 3xzTvdZLDpN9I0FSllfs7RenS4BYrlsxCagCpqkFwcTZw5EPJpoNDYs5p5XKcA8k zJl3pbi+rN2FWmMQJM1U6u8k7eWFQxNx6AMrXvvac+uENRw/qUBFSQlHa03NzReB OObAoY/VFkW3FWwhSTOasW5YMUg+VIuJ2Yh5NQhseb7BIXNZqVw8k0A1jGeCXiBS XKTu2+gZIiUhw3YCuoR9LYNkJqx7NdqyvM89eqeJ1CQeqScgc0+ncImcpCZzgMTK k7cXzqIBDj62rqwF270PAErQo1UIlD7iaVQMU2g+yKdq98d7dspfGEDkolsJU2ag Dh4Y20iIhpiQP/rzpDkV0NLgRmLuwukpknF2a9ENasWFh11cniHaRsn1rCEeSy4P LeWQXIcg6YThAe4fW2GQzkF0DWBnCacxOIbRe3SfdUFE/Ji+2UdqfVfNucjktX4q AHkGIHil1Is3/sEY4Nw6Eg9HAdyuCLuN0NQCCIkbow== =+T3F -END PGP SIGNATURE-
Bug#801757: Pinentry displays password while typing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor: > I'm unaware of such a change, please help me track it down! :) > > the main recent change is that pinentry now relies on the underlying > toolkit's password-entry widget. is it possible that you have some > unusual settings for your gtk.Entry widgets in general when they're in > password mode? Exactly that is the case. For some reasons I have /etc/gtk-2.0/gtkrc with "gtk-entry-password-hint-timeout = 600". After removing that it is fine. I usually do not use gnome stuff for high secure stuff so that was fine until now. But with the change of pinentry to use that widget, there is a big problem with that. FYI, my current content of that file: gtk-key-theme-name = "Emacs" gtk-can-change-accels = 1 gtk-entry-select-on-focus = 0 gtk-entry-password-hint-timeout = 600 gtk-recent-files-enabled = 0 I'm still not sure if a switch to that widget is the best move. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus EthgenFingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQGcBAEBCgAGBQJWIMXUAAoJEKZ8CrGAGfaszzQL/jbm8RXC48sfXLKlAJl1OnWf Zmh+xcNlQLdifNmFIQNcgLJm4jegwVmF+7J0odB149d0pfgIo2c/A/JIsJodvUu/ 4yu+M2DKfIIClF/O8Rye+KT0bHdG+vJrtyBS6XJg/rVAGFNjQJPWxTSF8r2Da02y RRmAz37W+f7f9TqesdQ8MB32sMdozgaXMiRODshGYTfAe5cWHN2DW7SmTeUalgfl 5IOlEyghc7K0NQ1XFGMxfO9Ubi2RMRPXGOxvDgiDU2jR2Q2A0m0M9XeBTOpvDaHM LtRdUeuokULzWbw8JFNdpifymAF2iG4w7Yl486vZa5gutkXtC9hBM6/2YCLugODs YuGSCmFxkv3nodxhI7ziRp4s1CWHMo7D81sQkdqLc3XbYj/A6VhDLsKO3Zy8C+bC 9HoSHJFFv1wVVGu/+Xvh6ewx/+7prXfkgHsIMNONaMWPoyqJp0e11ccvAyA6JUXl bATbikEFPNQ6I8kRB3QspaExP+a7Hzzm8SvZpCsS3Q== =1sUa -END PGP SIGNATURE-
Bug#801757: Pinentry displays password while typing
Control: tags 801757 + moreinfo unreproducible On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote: > Package: pinentry-gtk2 > Version: 0.9.6-2 > In newest version, pinentry is displaying password when typing. (It is > displaying the last letter but a observer can easily read the password.) i'm not seeing this behavior at all. I'm using pinentry-gtk2 0.9.6-2, and libgtk2.0-0 2.24.28-1, just like you are. The password entry field i see is just dots, no characters. Could you try to reproduce it simply and help me to reproduce it? To start with, can you reproduce it from the command line, by invoking "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet you", type "GETPIN" and hit enter. Does the prompting still show the text for you? > Please revert that recent change back to the secure way of just > displaying dots. I'm unaware of such a change, please help me track it down! :) the main recent change is that pinentry now relies on the underlying toolkit's password-entry widget. is it possible that you have some unusual settings for your gtk.Entry widgets in general when they're in password mode? can you try it from a new/clean user account on your machine? can you try it from another machine with the same version installed? Thanks for reporting the issue! --dkg
Bug#801757: Pinentry displays password while typing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pinentry-gtk2 Version: 0.9.6-2 Severity: grave In newest version, pinentry is displaying password when typing. (It is displaying the last letter but a observer can easily read the password.) That is a big security issue that renders pinentry completely unusable in any environment where one is not alone sitting in a dark cabin. When working in a big office, that is insane! Please revert that recent change back to the secure way of just displaying dots. - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (800, 'unstable'), (500, 'testing'), (110, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.7 (SMP w/8 CPU cores) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages pinentry-gtk2 depends on: ii libassuan0 2.3.0-1 ii libc6 2.19-22 ii libglib2.0-0 2.46.0-2 ii libgpg-error0 1.20-1 ii libgtk2.0-02.24.28-1 ii libncursesw5 6.0+20150810-1 ii libsecret-1-0 0.18.3-1 ii libtinfo5 6.0+20150810-1 pinentry-gtk2 recommends no packages. Versions of packages pinentry-gtk2 suggests: ii pinentry-doc 0.9.6-2 - -- no debconf information - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus EthgenFingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQGcBAEBCgAGBQJWHhzaAAoJEKZ8CrGAGfasJo0L/jH9Uf5x+qUagHhM0noEAu7r eOZbe6oEGiPZEIdnQW6F+ndCYW35V57dm0H/X5aHIbBzmJ7e2vR6LCnfmMjQnbT3 FW4WiBU1t2D/8yucUD+PdlbqdKJoCjfW23SRvlL1d0/wa/Qb++rdkJyZqIYgWEjH 7OzY1uLlMJo0bTCYRwq2U+0h3Nj024oSktxpi84L8FZjy8kpfbEDClkT4fRUeDKq ly/O7DsEPB3jUBGD8uUvoQZvoDj4eyGe5lTfb0gFLhuq4WrJVKN+r0p0Ysd0FVsE xqeiicvZDVxXtIDYWG7XbL9FQ8hTOAdXKkuAFyOWF/PTv9fkQ+fviSSruxS6Urck oVYOGKYnDp83KxFBUR5iCV9NqtUW6WBXHQS47irvF7eR/i+eJE1NR3zj1lT5VY/z 1BrAbXT5KbUG1Lb1UAl7+fHiPh9mvOv1Mr5jPvL8EtpI5Lhx298bZMKxErqu5yMA nj7gekhyrVG6n9cDBR0Dn3lcaTAWdDo6s5p1hTFaAA== =w367 -END PGP SIGNATURE-