[
https://issues.apache.org/jira/browse/GUACAMOLE-1599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17532799#comment-17532799
]
Andy Franks commented on GUACAMOLE-1599:
----------------------------------------
Thank you Nick. So unlike passwords, where a hash can be created and compared,
TOTP requires reversible encryption in order to check the code produced?
Thank you again.
> Storage of TOTP secrets unhashed
> --------------------------------
>
> Key: GUACAMOLE-1599
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1599
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-totp
> Affects Versions: 1.3.0
> Environment: Ubuntu 20.04
> Reporter: Andy Franks
> Priority: Minor
>
> Hi
> Successfully campaigned for the use of guacamole in the large public sector
> organisation I work at. A security-conscious colleague has noticed that
> apparently the TOTP codes for users are stored in the
> guacamole_user_attribute table in plain text - and presumably could be
> trivially copied to a TOTP utility and the codes generated.
> I pointed out that the user security part is salted and hashed, and you'd
> need both to log in, but the colleague is not appeased.
> Perhaps not a bug as such but possibly a spanner in the works of keeping the
> adoption of the software, which would be a big shame. Is there an official
> explanation (e.g. that it's simply not required as you'd need to get into the
> database first, the security is implicit there etc)? Or is it a future
> planned change?
> Thank you
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
