Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1152

Enabling skip-if-unavailable breaks expired password change

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.1.0, 1.2.0
    • 1.3.0
    • None
    • RHEL 7.8

    Description

      When "skip-if-unavailable: mysql" is set in guacamole.properties, and the user is trying to change his expired password, he is not prompted about problems during the password change (eg: the password is not complex enough, the password is blank, the password is the same as old one). Instead, the user is silently logged in to Guacamole (but with no permissions) giving the illusion that the password is successfully changed.

       

      Steps to reproduce:

      1. Add the following settings to guacamole.properties. The most important one is "skip-if-unavailable: mysql". If this setting is absent, password change works as expected. 
        mysql-user-password-min-length: 8
        mysql-user-password-require-multiple-case: true
        mysql-user-password-require-symbol: true
        mysql-user-password-require-digit: true
        mysql-user-password-prohibit-username: true
        mysql-user-password-min-age: 7
        mysql-user-password-max-age: 90
        mysql-user-password-history-size: 6
        skip-if-unavailable: mysql
        
      1. Get some Guacamole user password expired (for example, by setting password_date to a date in the past in MySQL database)
      2. Login to Guacamole with this user. You will be presented with a password change prompt.
        a) Attempt to enter a blank password (just press "Continue" button) - you will be silently logged in to Guacamole instead of giving a warning that blank passwords are not allowed;
        b) Attempt to enter a password that does not meet password complexity requirements - you will be silently logged in to Guacamole instead of giving a warning that the password is not complex enough;
        c) Attempt to enter the same password as an old one - you will be silently logged in to Guacamole instead of giving a warning that new password must differ.

      Attachments

        Activity

          People

            mjumper Mike Jumper
            trengri Grigory Trenin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: