user password is displayed on C:\Users\Public\sys.txt

[demoli2]

Hi This is a security problem. When I activate scripting notification plugin, the password is not hidden in file C:\Users\Public\sys.txt !

I think it's due to default setup we can see here http://mutonufoai.github.io/pgina/documentation/plugins/scripting.html.

I try to delete "HKLM:\SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4" (plugin scripting) with a powershell script

if (Test-Path -Path "HKLM:\SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4") {
Remove-Item -Path "HKLM:\SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4"
}
New-Item -ItemType Directory -Force -Path "HKLM:\SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4"
$a=@("True `t True `t False`t net use u: `"\\server\share`" /persistent:no `"/user:%u`" `"%p`"")
Set-ItemProperty -Path "hklm:SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4" -Type MultiString  -PSProperty notification_usr -Value $a
# activation
Set-ItemProperty -Path "HKLM:\SOFTWARE\pGina3.fork" -Name "ea94cebf-6ed1-454a-b333-81c4fad61fa4" -Value 16

But the default setup come back

I use sshAuth

Olivier

[MutonUfoAI]

Don't delete the whole key, remove the data only. reg add "HKLM\SOFTWARE\pGina3.fork\Plugins\ea94cebf-6ed1-454a-b333-81c4fad61fa4" /v notification_usr /t REG_MULTI_SZ /d "" /f

[demoli2]

Thank you for your reply. Your solution works fine. but the security problem is still there with the default "event notification" -> "system context"

[MutonUfoAI]

You need to activate the plugin first and than you would add your own scripts and remove the predefined ones.

[demoli2]

Yes, for me it's OK. but it's for other pgina user. it's dangerous to have a file that contains passwords.

[MutonUfoAI]

You need to activate the plugin first ...