You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by MAURIZI Lorenzo <l....@comune.jesi.an.it> on 2022/05/19 08:35:04 UTC

Problem with expired password and TOTP

Dear all,
I just noticed that in my installation, with TOTP module activated, there is a problem when I create a user with the "Password expired" flag to force password change at first login.

The workflow is as follows:

1.       The user goes to the login page and enters the username and the first provided password

2.       The user gets the password expired form, asking for the new password. After writing the new password twice, he presses "Continue"

3.       The user gets the enrollment QR code for TOTP. The user makes the enrollment into the OTP application and gives the first OTP to the screen.

After confirming the OTP code, the user gets "Invalid Login" error on top of the page and goes back to the login form.
From now on, if the user tries to login again entering the new password, the answer is "Verification failed. Please try again"
If he enters the old password, he obtains "Invalid login".

Any subsequent try to login (notice: WITHOUT reloading the page) the user obtains the same results as above (Invalid login with the old password, Verification failed with the new password).

The only resolution is to renew the page with a Ctrl-F5 or closing and reopening the browser.
After reloading the login page, if the user makes access with the new password,  the QRCode is displayed again on screen for TOTP enrollment, but the OTP Application is already enrolled, so it is only necessary to enter another OTP generated with the app.

In general, this problem occurs every time the user has to change the password for expiration (forced with the Password expired flag, or just expired for password enforcing policy in guacamole.properties), but in a subsequent password change, with TOTP already enrolled, only the request for a "normal" OTP code is shown.
But, after entering the OTP, again the user receives the "Invalid login" error and the login page is displayed, and it is necessary to reload the login page to make it work.

I think it could be considered a bug?

Best Regards
Lorenzo