*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Binary package hint: konqueror
I'm using Konqueror 3.5.9, KDE 3.5.9 on Kubuntu 8.04.
Steps to reproduce:
* Use Konqueror to connect to a remote machine using fish, say
fish://example.net, logging in as "someuser". Enter the password, and do not
select "remember password". Ensure that other methods of authentication like
ssh keys are not possible.
* From the terminal, ssh [EMAIL PROTECTED], as you would normally.
* On example.net, check the list of processes with ps x. There should be a
"sshd: [EMAIL PROTECTED]" process, kill that.
* Check ps x again, so see that the process has been killed.
* Go back to Konqueror and do something like navigating to a different folder.
* On example.net, do ps x again to see that an ssh connection has been
re-established.
The fact that the second ssh session was established seems to indicate
that Konqueror remembered the password and used it again, without the
user's permission. Konqueror should not remember passwords unless told
to do so, and there should be a way to tell Konqueror "I'm done now,
forget the password and any other personal data related to this fish
session".
** Affects: kdebase (Ubuntu)
Importance: Undecided
Status: New
--
Konqueror remembers password when told not to with fish kioslave
https://bugs.launchpad.net/bugs/229545
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
