Preventing TOTP enrollment and authentication unless user has a confirmed key already

[Todd James <to...@gmail.com>]

I am using LDAP, MySQL, and TOTP with the database populated with a script
that I wrote. In the pre-1.0 builds cloned from git when
guacamole-auth-totp was first introduced, I was able to have users created
in the database, sign in with LDAP credentials, but have the users be
denied authentication if they did not already have an enrolled TOTP
credential. The user would not be prompted to enroll, either. My
understanding was this was because the user did not have permission to
change their own password, and so could not set their own TOTP key.

This was the ideal behavior for me, because I populated the
guacamole_user_attribute table with TOTP secrets from another source.

It seems that with Guacamole 1.3.0, users are always prompted to enroll a
TOTP credential if they do not already have one.

Is it possible to restore the previous behavior? I've tried using the 1.1
and 1.0 versions of the TOTP module with the web app 1.3.0, but those seem
to just authenticate the user without prompting for the OTP or enrollment.
My understanding is that this behavior changed with the 1.2.0 module.

I've tried modifying UserVerificationService.java in the TOTP extension,
but the behavior isn't making sense to me. In the verifyIdentity()
function, I am throwing an exception during the if (key == null) check
rather than returning, but that seems to be blocking legitimate
authentication attempts at the OTP prompt, as well.

Any thoughts would be appreciated.

Todd

Re: Preventing TOTP enrollment and authentication unless user has a confirmed key already

[Nick Couchman <vn...@apache.org>]

On Sat, Feb 13, 2021 at 2:05 AM Todd James <to...@gmail.com> wrote:

> I am using LDAP, MySQL, and TOTP with the database populated with a script
> that I wrote. In the pre-1.0 builds cloned from git when
> guacamole-auth-totp was first introduced, I was able to have users created
> in the database, sign in with LDAP credentials, but have the users be
> denied authentication if they did not already have an enrolled TOTP
> credential. The user would not be prompted to enroll, either. My
> understanding was this was because the user did not have permission to
> change their own password, and so could not set their own TOTP key.
>
>
Yes, more or less.


> This was the ideal behavior for me, because I populated the
> guacamole_user_attribute table with TOTP secrets from another source.
>
>
Unfortunately this was relying on a limitation in the code at that time and
not necessarily a well-defined and documented feature.


> It seems that with Guacamole 1.3.0, users are always prompted to enroll a
> TOTP credential if they do not already have one.
>
>
Yes.


> Is it possible to restore the previous behavior? I've tried using the 1.1
> and 1.0 versions of the TOTP module with the web app 1.3.0, but those seem
> to just authenticate the user without prompting for the OTP or enrollment.
> My understanding is that this behavior changed with the 1.2.0 module.
>
>
There's no direct way to get back to the pre-1.2.0 code. In 1.2.0 we
changed things so that the ability for other modules to write database
entries for a particular user does not rely on that user having the proper
permissions but, instead, happens at a system level.

What you might try doing is enabling the option to require the user to be
present in the DB authentication module:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-restrict

I'm not 100% certain if this will get you where you want to go, but my
initial feeling is that it will. If your users are authenticating with
LDAP, this will require that they be present in the JDBC module before
allowing authentication to continue, so you'd be able to populate JDBC
entries for the users, including the TOTP data, before the users are able
to log in. Based on the description of your issue, I *think* this will get
you where you want to go. Of course, with this you'd also need to make sure
that 1) you do not have JDBC user auto-creation enabled, and 2) you're not
creating the users in the JDBC module prior to populating the TOTP entries.

If this doesn't get you exactly what you're looking for please feel free to
post back and we can discuss through what is lacking.

-Nick

>