On Mon, Feb 25, 2019 at 1:04 AM drhy <dyo...@huntergroup.co.nz> wrote:
> Hi PlayerOne and vnick, > > I think I also read that MySQL creates a salted password when a new user is > created - but I wasn't sure. > Yes, if you leave the password field alone (don't enter anything, at all), Guacamole Client will generate a random, strong password for the user and populate it. You probably do not want to actually clear out the password field - better to have a random/strong password there that no one actually knows than to clear it out. > > But when guacadmin was administrating that new user, for example by adding > a > Group or adding Connections, The web GUI would report "Passwords not > identical" for the two user password fields. I would then have guacadmin > delete both passwords, allowing the changed user to be saved. I then found > that the user could logon with no password = alarm bells. > > I'm not sure why you'd be getting the "passwords are not identical" if you didn't actually modify the field. If you leave it along completely you should not get this message and you shouldn't have to worry about it. > Hence to make sure that couldn't happen, whenever I created a user via the > MySQL command line, I explicitly used a Powershell/.Net method to generate > a > password and assign it to the new user. And now I know that whenever a user > is administrated via the web GUI, a random password must be provided by > guacadmin. > > All this applicable when using Radius with MySQL - I haven't adequately > tested any other authentication combinations. > > Not sure if my understandings are correct though. > > I think you've more or less got it, just the step of manually blanking the field should not be necessary - if you leave it alone entirely, and if you're using the WebUI to create the users, it should have a strong, random password in it. If you're using a PowerShell script to create the users directly in the MySQL database you would need to do the random password step yourself, within that script. -Nick
