You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "J.T. Moore (Jira)" <ji...@apache.org> on 2020/09/29 03:31:00 UTC
[jira] [Created] (GUACAMOLE-1187) TOTP not working with MariaDB
J.T. Moore created GUACAMOLE-1187:
-------------------------------------
Summary: TOTP not working with MariaDB
Key: GUACAMOLE-1187
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1187
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-totp
Affects Versions: 1.2.0
Environment: Centos 8.2
MariaDB Server 10.3.17.1.module_el8.1.0+257+48736ea6,
MariaDB Java Client 2.2.5.2.el8 (provides MariaDB JDBC jar file),
Tomcat 9.037,
Guacamole 1.2.0 (server, client, database authentication extension and TOTP authentication extension)
Reporter: J.T. Moore
Attachments: UserVerificationService.java
Problem:
When the TOTP module is installed and MariaDB is used for database authentication, no users can complete TOTP enrollment. When a user attempts to login the first time after TOTP is enabled, the enrollment QR code is displayed as expected and I can see where records for the *guac-totp-key-secret=[_new_key_value_]* and *guac-totp-key-confirmed=false* attributes are correctly inserted to the guacamole_user_attribute table for the user. However, when the user scans the QR code with their authenticator app and then provides the correct authentication code, the “verification failed” message is always displayed and the user cannot login.
Background:
MariaDB has replaced MySQL in the official RHEL 8 and Centos 8 repositories.
Database authentication for Guacamole works as expected when the TOTP module is not used and Guacamole is configured to use MariaDB per the instructions at [https://guacamole.apache.org/doc/gug/jdbc-auth.html] (i.e. using *mysql-driver: mariadb* in guacamole.properties and a link to the MariaDB jdbc driver {{in GUACAMOLE_HOME/lib}}). However, the problem described above occurs when the TOTP module is then moved into the {{GUACAMOLE_HOME}}/extensions folder and Tomcat is restarted.
Initial Analysis:
I added some debug logging to guacamole-client-1.2.0/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java to gather some more information (see attached UserVerificationService.java containing the logging modifications). From that, I found that when the getKey() method is called during the authentication step, the *if (secret == null)* condition is always matched. So, a new secret is then generated during each attempt verify the authentication code and the existing records in guacamole_user_attribute for guac-totp-key-secret and guac-totp-key-confirmed for the user are replaced . However, since the user and server are using different keys at that point, the generated authentication codes don’t match. So, there appears to be a problem retrieving the guac-totp-key-secret attribute for the user from the database even though the records can be inserted and deleted correctly.
Workaround:
Replacing MariaDB with MySQL community 8.0.21 (along with setting *mysql-driver: mysql* in guacamole.properties and adding a link to the MySQL jdbc driver in {{GUACAMOLE_HOME/lib}}) resolves the issue. However, this is not a great solution since MySQL is no longer part of the native OS repositories or even the EPEL repositories and its usually best to avoid using 3rd party RPM repositories or installing software from source on RHEL and Centos system when possible to make it easier to keep systems up-to-date and maintain system stability while minimizing the chances for unexpected application and configuration conflicts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)