#1746 FTP Plugin demanding 'master password to decrypt' breaks

closed-fixed
Alan Ezust
FTP (14)
5
2013-10-31
2013-10-30
Mark Crocker
No

After upgrading to jEdit FTP plugin version 1.0.6 restarting jEdit with a session that already has many open remote files will demand a master password for each open file.

For a user who was not expecting this, it is a very jarring experience and this blocks the main jEdit window from appearing until all files password challenges are answered in some way. There is no explanation what is going on and on Windows 7 Professions SP1, the dialogs always appear underneath all other windows, so after most actions, the dialogs just seem to disappear and nothing seems to happen. There is also no indication which file is being challenged, so when a dozen seemingly identical challenges appear in a row for a password the user doesn't know anything about, they will likely get frustrated and kill jEdit rather than continue.

If the user selects cancel for the master password challenges, then an FTP dialog with no password will appear for one of the remote files. Entering the password, which jEdit used to remember for that file and selecting OK, results in another dialog asking the user to 'Choose a master password to enecrypt your new password file'. Entering a value there and clicking OK restarts the master password challenge loop, except that the FTP dialog for the first file will now have a value for the password and proceeding leads to a dialog for the second open remote file with a blank password entry. If a user actually goes through this process for each open remote file, then when completed, the actual jEdit main window will open, but NONE of the remote files will be included. For a large number of open remote files, this can take a considerable length of time and, if the wrong button is clicked at any time result in having to start over!

Also, if a user selects cancel for each master password challenge until the main window appears and then attempts to change to another session with no open remote files, the buffers will be empty for each file in the new session.

Finally, the updated plugin documentation mentioned that there was a way to enable/disable encryption in the plugin options FTP page, but I do not see that in the dialog. There is an option for using a key file and for using compression, but not for encryption as the documentation seems to suggest there should be.

Although I really appreciate the effort to add password encryption, this change is really not ready for release and I strongly recommend that it be rolled back until a working solution is found.

Discussion

  • Alan Ezust
    Alan Ezust
    2013-10-30

    • status: open --> pending-works-for-me
     
  • Alan Ezust
    Alan Ezust
    2013-10-30

    Are you seeing in teh status bar that JCE strong encryption is not available? If so, then you can't save passwords.
    Un-check the option "save passwords and passphrases to disk" or read the documentation about how to enable JCE strong encryption. There is no option to disable encryption.

    If you are not getting a "JCE strong encryption unavailable" in your statusbar, please describe the steps to reproduce your bug.

     
  • Alan Ezust
    Alan Ezust
    2013-10-30

    • status: pending-works-for-me --> pending-duplicate
     
  • Alan Ezust
    Alan Ezust
    2013-10-30

    Duplicate of 3615141

     
  • Alan Ezust
    Alan Ezust
    2013-10-31

    What you are describing "asking over and over again" for a masterpassword, happens if it is unable to
    open the existing saved passwords file. Since older password files are unreable, it doesn't matter what master password you supply, you can never open it. The only workaround for this is to "forget remote passwords", which will delete that old password file. After that everything should work as expected.

     
  • Alan Ezust
    Alan Ezust
    2013-10-31

    • status: pending-duplicate --> closed-works-for-me
     
  • Alan Ezust
    Alan Ezust
    2013-10-31

    Committed 23303 to FTP plugin in SVN. Now if you "cancel" when it asks you for the master password, then the option for saving passwords is set to false.
    you can test this version: http://lazarus.oddiofile.com/jars/FTP.jar

     
  • Alan Ezust
    Alan Ezust
    2013-10-31

    • assigned_to: nobody --> ezust
    • status: closed-works-for-me --> closed-fixed
     
  • arielCo
    arielCo
    2013-10-31

    Hi Alan,
    I installed the JCE security JARs, downloaded the FTP.jar you provide and what happens is:

    * Fire up jEdit
    * File > Open: the "Connect to Secure FTP Server" dialog comes up (since the file browser was last browsing a remote site), pre-filled with the last hostname and username.
    * enter password > Enter: "Choose a master password to encrypt your new password file" dialog comes up.
    * enter new master password > Enter: dialog closes, File Browser doesn't come up. I have the main window with the default empty buffer.

    I'm attaching %APPDATA%\jEdit\activity.log.

     
  • arielCo
    arielCo
    2013-10-31

    I can't find a way to attach a file, so here it goes: http://pastebin.com/dGhdsK94

     
  • Alan Ezust
    Alan Ezust
    2013-11-01

    Please try the latest FTP.jar from my server again. I just made some more improvements.

     
  • arielCo
    arielCo
    2013-11-01

    Apparently saving passwords works (it prompts for the master password and recalls the host password on the next run). It's a bit awkward that the host drop-down is disabled but I can change username.
    Authentication succeeds, but then I get "ListDirectoryBrowserTask: java.lang.NoSuchFieldError: DATE_FORMAT" and the File Browser remains in a "Loading" state.
    http://pastebin.com/DKyTRggZ

     
  • Alan Ezust
    Alan Ezust
    2013-11-01

    ariel-co, what version of jEdit are you using?

     
  • Alan Ezust
    Alan Ezust
    2013-11-01

    Nevermind, I figured out why you see that. Try downloading another FTP.jar, I fixed it.

     
  • arielCo
    arielCo
    2013-11-01

    I'm getting the same file as before (MD5=74f29c37f1a8f31a433cbc557efe7457). I'm running the latest 5.2pre1 from tellurianring.org (2013-08-13_05-00-30).

     
  • Alan Ezust
    Alan Ezust
    2013-11-01

    [ezust@cerberus] /home/ezust/.jedit/jars> md5pass FTP.jar
    $1$nt3ngm1h$GFYAfVRIKAS6s0geNkV180
    [ezust@cerberus] /home/ezust/.jedit/jars> ls -l FTP.jar
    -rw-rw-r-- 1 ezust ezust 124012 Nov 1 12:52 FTP.jar

     
  • arielCo
    arielCo
    2013-11-01

    I finally got the new version; my proxy may have been caching the old content. It works fine now, even with the old JCE policy files (should it?).

    Off-topic: According to the manpage, 'md5pass' hashes the *string* in the command line, that is "FTP.jar". 'md5sum' is what calculates a digest from the file contents.

     
  • Alan Ezust
    Alan Ezust
    2013-11-01

    FTP steps down to DES on systems where strong keys are unavailable.
    It's in the docs. http://plugins.jedit.org/plugindoc/FTP/
    Re: md5pass: oops! thanks.

     
  • Mark Crocker
    Mark Crocker
    2013-11-04

    Wow! You guys are awesome! Thanks for the quick response and providing a working solution so quickly. Thanks.

    I grabbed the one build from version 23303 and gave it a try. As suggested in the comment, it did blow away all my existing passwords, but encrypted the new ones under the new master password and asked for it only once.