[jira] [Created] (GUACAMOLE-1152) Enabling skip-if-unavailable breaks expired password reset

Thu, 06 Aug 2020 03:43:05 -0700 

Grigory Trenin created GUACAMOLE-1152:
-----------------------------------------

             Summary: Enabling skip-if-unavailable breaks expired password reset
                 Key: GUACAMOLE-1152
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1152
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-auth-jdbc-mysql
    Affects Versions: 1.2.0, 1.1.0
         Environment: RHEL 7.8
            Reporter: Grigory Trenin


When "skip-if-unavailable: mysql" is set in guacamole.properties, and the user 
is trying to change his expired password, he is not prompted about problems 
during the password change (eg: the password is not complex enough, the 
password is blank, the password is the same as old one). Instead, the user is 
silently logged in to Guacamole (but with no permissions) giving the illusion 
that the password was successfully changed.

 

Steps to reproduce:
 # Add the following settings to guacamole.properties. The most important one 
is "skip-if-unavailable: mysql". If this setting is absent, password change 
works as expected. 
{noformat}
mysql-user-password-min-length: 8
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-user-password-min-age: 7
mysql-user-password-max-age: 90
mysql-user-password-history-size: 6
skip-if-unavailable: mysql
{noformat}

 # Get some Guacamole user password expired (for example, by setting 
password_date to a date in the past in MySQL database)
 # Login to Guacamole with this user. You will be presented with a password 
change prompt.
 a) Attempt to enter a blank password (just press "Continue" button) - you will 
be silently logged in to Guacamole instead of giving a warning that blank 
passwords are not allowed;
 b) Attempt to enter a password that does not meet password complexity 
requiremnts - you will be silently logged in to Guacamole instead of giving a 
warning the password is not complex enough;
 c) Attempt to enter the same password as an old one - you will be silently 
logged in to Guacamole instead of giving a warning that new password must 
differ.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to