Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.1.0, 1.2.0
-
None
-
RHEL 7.8
Description
When "skip-if-unavailable: mysql" is set in guacamole.properties, and the user is trying to change his expired password, he is not prompted about problems during the password change (eg: the password is not complex enough, the password is blank, the password is the same as old one). Instead, the user is silently logged in to Guacamole (but with no permissions) giving the illusion that the password is successfully changed.
Steps to reproduce:
- Add the following settings to guacamole.properties. The most important one is "skip-if-unavailable: mysql". If this setting is absent, password change works as expected.
mysql-user-password-min-length: 8 mysql-user-password-require-multiple-case: true mysql-user-password-require-symbol: true mysql-user-password-require-digit: true mysql-user-password-prohibit-username: true mysql-user-password-min-age: 7 mysql-user-password-max-age: 90 mysql-user-password-history-size: 6 skip-if-unavailable: mysql
- Get some Guacamole user password expired (for example, by setting password_date to a date in the past in MySQL database)
- Login to Guacamole with this user. You will be presented with a password change prompt.
a) Attempt to enter a blank password (just press "Continue" button) - you will be silently logged in to Guacamole instead of giving a warning that blank passwords are not allowed;
b) Attempt to enter a password that does not meet password complexity requirements - you will be silently logged in to Guacamole instead of giving a warning that the password is not complex enough;
c) Attempt to enter the same password as an old one - you will be silently logged in to Guacamole instead of giving a warning that new password must differ.