[
https://issues.apache.org/jira/browse/GUACAMOLE-1152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Grigory Trenin updated GUACAMOLE-1152:
--------------------------------------
Description:
When "skip-if-unavailable: mysql" is set in guacamole.properties, and the user
is trying to change his expired password, he is not prompted about problems
during the password change (eg: the password is not complex enough, the
password is blank, the password is the same as old one). Instead, the user is
silently logged in to Guacamole (but with no permissions) giving the illusion
that the password is successfully changed.
Steps to reproduce:
# Add the following settings to guacamole.properties. The most important one
is "skip-if-unavailable: mysql". If this setting is absent, password change
works as expected.
{noformat}
mysql-user-password-min-length: 8
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-user-password-min-age: 7
mysql-user-password-max-age: 90
mysql-user-password-history-size: 6
skip-if-unavailable: mysql
{noformat}
# Get some Guacamole user password expired (for example, by setting
password_date to a date in the past in MySQL database)
# Login to Guacamole with this user. You will be presented with a password
change prompt.
a) Attempt to enter a blank password (just press "Continue" button) - you will
be silently logged in to Guacamole instead of giving a warning that blank
passwords are not allowed;
b) Attempt to enter a password that does not meet password complexity
requirements - you will be silently logged in to Guacamole instead of giving a
warning that the password is not complex enough;
c) Attempt to enter the same password as an old one - you will be silently
logged in to Guacamole instead of giving a warning that new password must
differ.
was:
When "skip-if-unavailable: mysql" is set in guacamole.properties, and the user
is trying to change his expired password, he is not prompted about problems
during the password change (eg: the password is not complex enough, the
password is blank, the password is the same as old one). Instead, the user is
silently logged in to Guacamole (but with no permissions) giving the illusion
that the password is successfully changed.
Steps to reproduce:
# Add the following settings to guacamole.properties. The most important one
is "skip-if-unavailable: mysql". If this setting is absent, password change
works as expected.
{noformat}
mysql-user-password-min-length: 8
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-user-password-min-age: 7
mysql-user-password-max-age: 90
mysql-user-password-history-size: 6
skip-if-unavailable: mysql
{noformat}
# Get some Guacamole user password expired (for example, by setting
password_date to a date in the past in MySQL database)
# Login to Guacamole with this user. You will be presented with a password
change prompt.
a) Attempt to enter a blank password (just press "Continue" button) - you will
be silently logged in to Guacamole instead of giving a warning that blank
passwords are not allowed;
b) Attempt to enter a password that does not meet password complexity
requiremnts - you will be silently logged in to Guacamole instead of giving a
warning the password is not complex enough;
c) Attempt to enter the same password as an old one - you will be silently
logged in to Guacamole instead of giving a warning that new password must
differ.
> Enabling skip-if-unavailable breaks expired password change
> -----------------------------------------------------------
>
> Key: GUACAMOLE-1152
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1152
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-mysql
> Affects Versions: 1.1.0, 1.2.0
> Environment: RHEL 7.8
> Reporter: Grigory Trenin
> Priority: Major
>
> When "skip-if-unavailable: mysql" is set in guacamole.properties, and the
> user is trying to change his expired password, he is not prompted about
> problems during the password change (eg: the password is not complex enough,
> the password is blank, the password is the same as old one). Instead, the
> user is silently logged in to Guacamole (but with no permissions) giving the
> illusion that the password is successfully changed.
>
> Steps to reproduce:
> # Add the following settings to guacamole.properties. The most important one
> is "skip-if-unavailable: mysql". If this setting is absent, password change
> works as expected.
> {noformat}
> mysql-user-password-min-length: 8
> mysql-user-password-require-multiple-case: true
> mysql-user-password-require-symbol: true
> mysql-user-password-require-digit: true
> mysql-user-password-prohibit-username: true
> mysql-user-password-min-age: 7
> mysql-user-password-max-age: 90
> mysql-user-password-history-size: 6
> skip-if-unavailable: mysql
> {noformat}
> # Get some Guacamole user password expired (for example, by setting
> password_date to a date in the past in MySQL database)
> # Login to Guacamole with this user. You will be presented with a password
> change prompt.
> a) Attempt to enter a blank password (just press "Continue" button) - you
> will be silently logged in to Guacamole instead of giving a warning that
> blank passwords are not allowed;
> b) Attempt to enter a password that does not meet password complexity
> requirements - you will be silently logged in to Guacamole instead of giving
> a warning that the password is not complex enough;
> c) Attempt to enter the same password as an old one - you will be silently
> logged in to Guacamole instead of giving a warning that new password must
> differ.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
