LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2011, 08:54 AM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,953

Rep: Reputation: 159Reputation: 159
Exclamation Gnome Commander security issue


I came across this today and I am not pleased. It seems that when I connect to a remote server over ssh and do NOT "[ ] Use GNOME keyring manager for authentication" my password to the remote server is stored in clear text in ~/.gnome.commander/connections

Be aware if you are a gnome-commander user.

Ken
 
Old 06-28-2011, 11:42 AM   #2
ButterflyMelissa
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,714
Blog Entries: 23

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
Thanks for the heads-up! I use FileZilla...but the Gnome Commander (grandkid of the Midnight Commander?) was on the "maybe pile" all the time, not anymore (unitl fixed)...

Thor
 
Old 06-28-2011, 12:23 PM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,953

Original Poster
Rep: Reputation: 159Reputation: 159
I have been using gnome-commander for quite a while. I just happened on the password issue today while poking around various configuration files in preparation for a possible Ubuntu reinstall. The first programs I ever purchased (after dBase II for CP/M) were Norton Commander and Utilities for DOS. In fact I came across the packing slip in some old documents I was cleaning out recently. I used File Manager from Win NT on XP for many years as well. It does not work in Win Vista nor 7 and I don't use Vista nor 7.

That said, I am stuck on the two panel file manager concept. Perhaps I need to find a different one although I have become very familiar with gnome-commander in spite of a few weaknesses. Midnight Commander is great for working over an shell connection. I found some other possibilities here http://168hours.wordpress.com/2008/0...ves-for-linux/

I have filed a bug with gnome-commander and passwords. I also noted that when I tell it to use the Gnome keyring manager it does not and it prompts me for a password each time I connect to a bookmarked remote server. I have no problem with that however gnome-commander seems to have become a little flaky once I removed the passwords and use it this way. Perhaps it needs to become familiar with the way I want to work

Ken
 
Old 07-01-2011, 02:42 PM   #4
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,953

Original Poster
Rep: Reputation: 159Reputation: 159
And just to add... using "[X] Use GNOME keyring manager for authentication" and supplying the password each time works about 10% of the time. The other 90% of the time gnome-commander crashes.

Ken
 
Old 07-05-2011, 08:42 AM   #5
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,953

Original Poster
Rep: Reputation: 159Reputation: 159
Update - gnome-commander DOES WORK with the Gnome Keyring! It just did not work the way I expected it to or would have programmed it to had I designed the process to create a remote connection from gnome-commander. I had expected that when I told gnome-commander to use the Gnome Keyring it would asked for my credentials the first time, done its connection to the server thing and then stored the necessary data securely in the keyring. But it did not. Here is how to make it work...

1 - Run seahorse (Passwords and Encryption Keys) from Applications; Accessories on the Ubuntu menu.
2 - Select File; New and then choose Secure Shell Key
3 - Enter a description for the key. I used ken@taylor10 for my (ken's) key to server taylor10. I named the Remote Connection in gnome-commander the same thing although I do not believe they need to match.
4 - Select Create and Setup
5 - Enter a passphrase for the key - I used my normal login password for the PC although it could be something different. When the key is used to make a connection for the first time I am asked for the passphrase. The keyring remains unlocked after that to allow access to any keys with the same passphrase. That is my empirical finding although I do not know how long the keyring remains unlocked. If I set a different passphrase for a particular key I am asked for that passphrase the first time I use the key in question.
6 - Next I enter the computer name and the login name. The login name does not have to be the name I am logged in to the PC with. It just has to be a valid user on the server. This raises some interesting possibilities beyond the scope of this discussion.
7 - Finally I am prompted for the user's password on the server. I enter this and then seahorse connects to the server, validates the credentials and apparently brings back the ssh key from the server. Note that the remote machine must be up and reachable for this process to work.

I can now create a Remote Server connection in gnome-commander using the Gnome Keyring and it works!!! The key pieces of data which must match the keyring are the Server and User name.

Thanks to the gnome-commander developers for a great application! I have been in contact with them via a bug I filed on the storage of plain text passwords. I have suggested that storing the password in plain text be made optional (the other option being to ask for it each time the connection is made) and that an error message be raised if the necessary key is not found in the Gnome Keyring rather than allowing gnome-commander to crash.

Ken
 
1 members found this post helpful.
Old 05-31-2018, 05:47 AM   #6
amiba
LQ Newbie
 
Registered: Jan 2010
Posts: 20

Rep: Reputation: 3
Got problems if the user is not Administrator

I've used gnome commander to connect a drive over ftp and did use the function save for ever. Worked now I had to change the IP and put it in again. It tells me that the keyring isn't unlocked and asked for a password but not any of the known passwords is matching. If I give the user admin rights, it's working proper.

Any idea how to go around. It wouldn't be a problem if the password could be sniffed in clear out, because if someone is in the system, he allready is in. Everybode out isn't important and to communicate a password to all possible users is in this case a very impossible mission. No one knows who will be using the station on the next day.

There isn't anything important to steal.
But it has to work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Problem compiling gnome commander taylorkh Linux - Software 4 02-02-2011 11:15 AM
LXer: GNOME Commander - Nice and fast file manager for the GNOME desktop LXer Syndicated Linux News 0 06-04-2010 02:41 AM
Gnome Commander question taylorkh Linux - Software 0 01-07-2010 10:51 AM
Gnome-Commander alphabetical sorting Blyiss Linux - Software 2 02-21-2007 12:28 PM
Gnome (gnome commander) and file assosacion krajzega Linux - Software 0 07-14-2004 08:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration