-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Feature: - Security: SSH Key Password shold be asked on connection, not saved in the app #131
Comments
Sure, this can be implemented. AVNC can ask for key password when connecting, just like it does for VNC password.
Yes, passwords are stored in plaintext, because they are required for authentication. AVNC stores all server data in private app storage, and relies on Android for access protection. If you don't trust the app, how do you know I won't send the key password to some random server, even if password is only asked while connecting to VNC server? So I am not going to implement a key manager. Once AVNC supports asking for key password while connecting, you can use any third-party password manger you trust to auto-fill passwords in AVNC. |
"If you don't trust the app, how do you know I won't send the key password to some random server, even if password is only asked while connecting to VNC server?"
"So I am not going to implement a key manager. Once AVNC supports asking for key password while connecting, you can use any third-party password manger you trust to auto-fill passwords in AVNC." "Sure, this can be implemented. AVNC can ask for key password when connecting, just like it does for VNC password." Just a final thought. |
Hi @userw2891, SSH password and SSH private key password will now be optional when creating a server. |
Thank you make a quick test, and popup to request for key password show there are also two things that can be extra done
When I have time I will check again key, pasword key, server pair to see if it really works, or just install ap on the other phone (it works on other phone, and if I remember correctly not on this one) Thank you again |
This affects both login password & private key password. These will be queried using LoginFragment if not available in profile. LoginInfo now serves as a generic wrapper for credentials, instead of being tied to VNC credentials. Re: #131
Fixed by: 42b8fb8
I will keep it for now. It can be removed in future.
Renamed it to Thank you for testing. |
Super... just a note... there is no software that I know that save a private key pasword... they keep the password in memory only at runtime for current session or until is manualy removed by user/ or unencripted key removed from memory How is now is perfectly fine for me... super work... thank you... |
I will remove the key password field after few versions. It requires a database migration, and I want to give the new login flow some time with users. |
SSH Private key Password SHOULD NOT BE SAVED IN THE APP.
SSH Private key password
Behaviour should be similar like Connectboot Android App
Care should be taken of key password stored and released from memory
It is good for now just to implement a ssh key password request and key release when vnc close... and later rework key handling and add a key manager.
I do not trust to save password in the app, probably the password is neither encrypted, it is stored in plain, and if encrypted, I will not trust app encryption implementation, and not last if stored can be retrieved, so it should not be stored.
Thank you,
The text was updated successfully, but these errors were encountered: