[
https://issues.apache.org/jira/browse/GUACAMOLE-1599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17532865#comment-17532865
]
Nick Couchman commented on GUACAMOLE-1599:
------------------------------------------
Yes, I believe that's correct, because, ultimately, the TOTP module has to
compare the generated TOTP value (six digit number), and can't work backward
from a 6-digit code to any sort of hash that could be compared. The data is
actually generated the other way - from the secret in the DB to the six digit
number.
> Storage of TOTP secrets unhashed
> --------------------------------
>
> Key: GUACAMOLE-1599
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1599
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-totp
> Affects Versions: 1.3.0
> Environment: Ubuntu 20.04
> Reporter: Andy Franks
> Priority: Minor
>
> Hi
> Successfully campaigned for the use of guacamole in the large public sector
> organisation I work at. A security-conscious colleague has noticed that
> apparently the TOTP codes for users are stored in the
> guacamole_user_attribute table in plain text - and presumably could be
> trivially copied to a TOTP utility and the codes generated.
> I pointed out that the user security part is salted and hashed, and you'd
> need both to log in, but the colleague is not appeased.
> Perhaps not a bug as such but possibly a spanner in the works of keeping the
> adoption of the software, which would be a big shame. Is there an official
> explanation (e.g. that it's simply not required as you'd need to get into the
> database first, the security is implicit there etc)? Or is it a future
> planned change?
> Thank you
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
