Bug 6973 - The REMOVE_CONFIGURATION feature used by tlclient.cgi can be circumvented
Summary: The REMOVE_CONFIGURATION feature used by tlclient.cgi can be circumvented
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Server (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Henrik Andersson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-16 11:46 CEST by Peter Åstrand
Modified: 2017-05-16 13:11 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Peter Åstrand cendio 2017-05-16 11:46:33 CEST
When the native client is started through tlclient.cgi, the password can optionally be transferred in the generated configuration file. By default, /opt/thinlinc/etc/tlclient.conf.webtemplate contains the line:

REMOVE_CONFIGURATION = 1

...which causes tlclient to remove the entire config file (which contains the password) after it has read it. However, if the browser does not launch tlclient automatically, users have the possibility to edit the file and remove the REMOVE_CONFIGURATION line before starting tlclient. This way, they can save the password to the local machine. 

Even if the user is not manually editing the config file, the fact that the file is downloaded - and managed - by the browser could be a little problematic. For example, the browser might cache the content one way or another. 

One alternative solution could be that tlclient.cgi generates a configuration file which only contains a URL to a web service. Then, tlclient (rather than the browser) would connect to that web service in order to retrieve a configuration file, possibly containing a password. However, for security, some kind of hash or OTP system is necessary. 

Also note that having tlclient retrieve the file means that browser related connection settings such as proxy server etc is not automatically honored.

Note You need to log in before you can comment on or make changes to this bug.