Page MenuHome GnuPG

Don't show LDAP credentials in error messages, at least not by default
Closed, WontfixPublic

Description

Seems something went wrong (local error) when setting up an LDAP server for key storage. So after configuring something like (.gnupg/gpg.conf)

keyserver ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret

(this is single line, of couse)

... and publishing a particular key, I receive an error:

gpg --send-keys 6AD74D237F2EEA93271474C20840333D9F15A045
gpg: sending key 0840333D9F15A045 to ldap://ldap-server/????bindname=uid=LordPrivySeal%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=secret
gpg: keyserver send failed: Invalid LDAP credentials
gpg: keyserver send failed: Invalid LDAP credentials

The actual problem: That password (secret) should not be shown in any error message unless required by the user. The current situation allows credential stealing by a watcher.

Observed with gnupg 2.2.27 and kleopatra 20.08.3 (which echos the gpg error message).

Event Timeline

werner added a subscriber: werner.

I give this a low priority because all those infos are easily retrievable from config files.

My concern is not a disloyal administrator, so I disagree with that priority.

In comparison, nobody would consider it an acceptable behavior of an e-mail client, if it showed the configured password as part of an error message just because of a problem with the connection, something that might be caused by a server outage, expired certificates or a network glitch.

This however is precisely what happens here.

So what do you think is the threat here?

werner claimed this task.

If we ever add a way to take the password from a file we will for sure hide that in the log files. Ceterum autem censeo tesserae esse delendam.