Ubuntu
gstm package

gaskpass does not grab focus

Bug #276530 reported by Trochee
6
Affects Status Importance Assigned to Milestone
gstm (Ubuntu)
Fix Released
Medium
Ryan Niebur

Bug Description

Binary package hint: gstm

gaskpass does not grab focus. This behavior contrasts with the behavior of gnome-ssh-askpass and ssh-x11-askpass, both of which *do* grab focus.

This is a potential security risk because other applications could eavesdrop on keyboard input and steal or accidentally disseminate the passphrase (e.g. "oops, I just twittered my passphrase!")

Related branches

lp:debian/squeeze/gstm
Revision history for this message
Ryan Niebur (ryan52) wrote :

I do not currently have a window manager that will let me try to reproduce this bug, but once I can I will fix it.
It's not really a "security" risk, though. If a user is not paying enough attention to notice they are twittering their passphrase, then that's their own fault. Nevertheless, this is still probably an annoyance and should be fixed.

Thanks for the bug report,
Ryan

Changed in gstm:
assignee: nobody → ryan52
Nathan Handler (nhandler)
Changed in gstm:
importance: Undecided → Low
Revision history for this message
dkg (dkg0) wrote :

I think this *is* a security risk. The danger is not only limited to accidental absent-minded twittering: when the keyboard input is not "grabbed", any application (malicious or not) can eavesdrop on the keyboard input stream. This allows a trivial non-privileged userspace keylogger running in the same Xsession to capture passwords gathered by gaskpass.

It's not clear to me how your window manager affects the keyboard input focus lock. Are you running a window manager that interferes with keyboard grabbing? Can you explain more?

  http://www.pint-stowp.net/software/x11-ssh-askpass/keyboard-grabbing.html

See also XGrabKeyboard(3)

Revision history for this message
Ryan Niebur (ryan52) wrote :

okay, sorry, the mention of twittering the password confused me. I now understand, and, even though this is also easy to fix, I will just remove gaskpass.

Thanks,
Ryan

Stéphane Graber (stgraber)
Changed in gstm:
importance: Low → Medium
status: New → Triaged
Ryan Niebur (ryan52)
Changed in gstm:
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gstm - 1.2-7

---------------
gstm (1.2-7) unstable; urgency=low

  * Remove gaskpass. gaskpass is just another ssh askpass program, and
    doesn't do anything special. It does not grab focus, which means
    that key loggers can listen in on what you type, aiui. Seeing as how
    it is just reinventing the wheel, I see no reason to keep it around.
    (Fixes LP: #276530, #276517, #276525, #276529, #276534)
  * Do not explicitly set the ssh timeout, as that causes problems on
    slow networks. (Fixes LP: #293240)

 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 24 Nov 2008 09:48:55 +0000

Changed in gstm:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.