Fix rotation or changed password

[Opvolger]

fix for: if you want to reconnect to a remote desktop session and your password is changed.

[MutonUfoAI]

http://mutonufoai.github.io/pgina/documentation/changepwd.html

[Opvolger]

This does not work completely.

1. If you are logged in to 2 different systems and you disconnect on system 1 and change your password in system 2. Then the local-windows user on system 1 still has your old password.

2. We have a rotation password on some users, these can have a new password every hour. These can not log in after locking / disconnecting the system.

3. If you block a user, for example, on your LDAP so that he can no longer get into systems, he can still pick up sessions as long as he is not logged out.

[MutonUfoAI]

Do you think messing with the code is everything that has to be done?
Have you tested your changes against all possible login options by using all available plugins?
The documentation is writing itself?
Do you see my point?

This changes fit your needs, and your needs only.
Modification on the heart of pgina need to be tested, verified and documented!

public static bool ChangeLocalUserPassword(string username, string password)
take a look into pinvokes

User.ChangeLocalUserPassword(sessionDriver.UserInformation.Username, sessionDriver.UserInformation.Password);
as soon as this raises an exception you'll get this
m_logger.ErrorFormat("Internal error, unexpected exception while handling login request: {0}", e);
I worked a lot to get rid of this unhelpful error!

Here is my last question.
If your pwd policy is so restrictive why do you still store all there passwords as plain text in ram?

[Opvolger]

Do you think messing with the code is everything that has to be done?
Yes, I only validate a user with the Authentication plugins if there is an existing session and the user was originally logged in with pgina.
If no session is present, he will also run Authentication from the plugins
Have you tested your changes against all possible login options by using all available plugins?
No, that's not possible, I have not tried all possible situations.
Only LDAP and our new plugin that already uses this adjustment.
There have been 4 separate pull requests. If they are accepted (possibly with adjustments) I will offer our plugin as a pull request.
The documentation is writing itself?
I can not find the documentation that says pGina is not working properly when a password is changed outside of the operating system.
Do you see my point?
Yes, I fully understand you. First, they do not want to accept your adjustments in the official pgina code. Now that you feel responsible for the code and when someone changes the heart of this code is not nice. This is pretty scary. But I really saw this as a bug and would like to contribute to a better pgina for all.

This changes fit your needs, and your needs only.
Modification on the heart of pgina need to be tested, verified and documented!
Again I saw this as a bug. Disconnected session can be retrieved without authentication. You only need to know the "old" password.
If your account is blocked, you can still pick up disconnected sessions.

take a look into pinvokes
I will look into pinvokes and commit the changes.

If your pwd policy is so restrictive why do you still store all there passwords as plain text in ram?
If you use Windows, you have all your passwords in memory. Otherwise, you can not start programs as Administrators. We have Windows and Linux machines here. All connections are broken at night. If you want to pick up a session again, you can do that with your rotated password. All login actions are tracked and strange behavior is automatically intercepted.

We log in 2 way factor on a system that gives us a rotated password which we can use to log on to a system. When we log in we will always get a new rotated password, which can be used up to 24 hours.

[Opvolger]

Now I use pInvoke

[schwoerertw]

Hi Opvolger,

in a radius/otp AD environment had to change the following in your source to get rid of an internal error(NullReferenceException) on relogin of a domain user into a disconnected RDP session:

Service.cs Line 508:
if (userinfo4.comment.Contains(m_pGinaCreatedComment) && CheckIfUserWasLoginWithpGina(sessionDriver))

Changed To:
if ( CheckIfUserWasLoginWithpGina(sessionDriver))

as I have no userinfo4 object for a non-local user at this time

Please forgive me for not doing it the right way with a diff, but I am an old sysadmin not used to work with git... ;-)

Works now for initial login and relogin to a disconnected RDP session going through the pgina plugin chain (for me only radius) in both cases.

[Opvolger]

userinfo4 can be null if account is not a local user account... I will fix this bug.

[Opvolger]

@schwoerertw can you test it again with the change i have made?