Password Security Hole: SFTP Links
It is possible for an end user to see a SFTP password in plain text in the following scenario.
SFTP Session, application is "Default Configured".
RDM client settings, File > Options > Session Type, Default Application Settings for "ftp" is "Windows Explorer" (which is the default)
Open session.
Window with the following message pops up: There is no program associated with the requested action..."
The TITLE of this window has the username, password, and hostname of the session in the following syntax, in plain text:
sftp://<user>:<password>@<hostname>/
All Comments (5)
Hi,
This message is from Windows. Do you have an idea how I could resolve this? I could at least disallow sftp with Explorer
David Hervieux
I have changed the code to make sure that if it's Explorer, ftp will be used.
David Hervieux
That sounds like a reasonable solution. I don't think that SFTP is going to work with explorer any time soon anyhow.
Great and thank you for the bug report.
David Hervieux
Glad to help