You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Sean Hulbert <sh...@securitycentric.net.INVALID> on 2023/03/25 07:27:21 UTC
DUO token issues
Hello,
So I have only the DUO Jar in the extensions folder and my
guacamole.properties have the following
mysql-hostname: localhost
mysql-port: 3306
mysql-database: SOMEDB
mysql-username: SOMEUSER
mysql-password: SOMEPASSWORD
mysql-user-password-min-length: 12
mysql-user-password-min-age: 7
mysql-user-password-max-age: 60
mysql-user-password-history-size: 6
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-server-timezone: America/Los_Angeles
totp-issuer: Internal-NAMEHERE
totp-mode: sha512
api-session-timeout: 5
duo-api-hostname: api-xxxxxxx.duosecurity.com
duo-integration-key: CLIENT ID FROM DUO HERE
duo-secret-key: SECRET FROM DUO HERE
duo-application-key: GENERATED ON GUACAMOLE USING PWGEN 40 1
I get this error LOGIN.INFO_DUO_AUTH_REQUIRED
Permissions are set correctly I set it to the as my TOTP jar when it was in
the extension directory.
I did change MySQL daemon to use loopback on both bind-address and
mysqlx-bind-address, could this be an issue?
LOGS:
localhost_access_log.2023-03-25.txt
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql/connectionGroups/ROOT/tree HTTP/1.1" 200 1188
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200
248
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/users/USERACCOUNTHERE HTTP/1.1" 200 380
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2
127.0.0.1 - - [25/Mar/2023:00:18:01 -0700] "DELETE /duo/api/session
HTTP/1.1" 403 192
127.0.0.1 - - [25/Mar/2023:00:18:02 -0700] "POST /duo/api/tokens HTTP/1.1"
403 257
127.0.0.1 - - [25/Mar/2023:00:18:18 -0700] "POST /duo/api/tokens HTTP/1.1"
403 616
127.0.0.1 - - [25/Mar/2023:00:18:23 -0700] "POST /duo/api/tokens HTTP/1.1"
400 201
catalina.out
[2023-03-24 23:59:35] [info] 23:59:35.793 [main] INFO
o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
[2023-03-24 23:59:37] [info] 23:59:37.574 [main] WARN
o.g.jersey.server.wadl.WadlFeature - JAXBContext implementation could not be
found. WADL feature is disabled.
[2023-03-24 23:59:38] [info] Deployment of web application archive
[/var/lib/tomcat9/webapps/duo.war] has finished in [13,607] ms
[2023-03-24 23:59:38] [info] Deploying web application directory
[/var/lib/tomcat9/webapps/ROOT]
[2023-03-24 23:59:39] [info] At least one JAR was scanned for TLDs yet
contained no TLDs. Enable debug logging for this logger for a complete list
of JARs that were scanned but no TLDs were found in them. Skipping unneeded
JARs during scanning can improve startup time and JSP compilation time.
[2023-03-24 23:59:39] [info] Deployment of web application directory
[/var/lib/tomcat9/webapps/ROOT] has finished in [1,450] ms
[2023-03-24 23:59:39] [info] Starting ProtocolHandler ["http-nio-8080"]
[2023-03-24 23:59:39] [info] Server startup in [15347] milliseconds
[2023-03-24 23:59:40] [info] Loading class `com.mysql.jdbc.Driver'. This is
deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver
is automatically registered via the SPI and manual loading of the driver
class is generally unnecessary.
[2023-03-25 00:00:01] [info] 00:00:01.456 [http-nio-8080-exec-8] INFO
o.a.g.r.auth.AuthenticationService - User "USERACCOUNTHERE" successfully
authenticated from [172.16.8.2, 127.0.0.1].
guac_access.log
172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200
248 "http://internal2.domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2
"http://internal2. domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/users/USERACCOUNT HTTP/1.1" 200 380
"http://internal2. domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2
"http://internal2. domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396
"http://internal2. domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
error.log
2023-03-25T06:04:55.313186Z 0 [System] [MY-010931] [Server]
/usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket:
'/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
2023-03-25T06:08:26.630978Z 0 [System] [MY-013172] [Server] Received
SHUTDOWN from user <via user signal>. Shutting down mysqld (Version:
8.0.32).
2023-03-25T06:08:27.653730Z 0 [System] [MY-010910] [Server]
/usr/sbin/mysqld: Shutdown complete (mysqld 8.0.32) MySQL Community Server
- GPL.
2023-03-25T06:08:28.254101Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld
(mysqld 8.0.32) starting as process 1127
2023-03-25T06:08:28.280025Z 1 [System] [MY-013576] [InnoDB] InnoDB
initialization has started.
2023-03-25T06:08:28.929874Z 1 [System] [MY-013577] [InnoDB] InnoDB
initialization has ended.
2023-03-25T06:08:29.491066Z 0 [Warning] [MY-010068] [Server] CA certificate
ca.pem is self signed.
2023-03-25T06:08:29.491304Z 0 [System] [MY-013602] [Server] Channel
mysql_main configured to support TLS. Encrypted connections are now
supported for this channel.
2023-03-25T06:08:29.621014Z 0 [System] [MY-011323] [Server] X Plugin ready
for connections. Bind-address: '127.0.0.1' port: 33060, socket:
/var/run/mysqld/mysqlx.sock
2023-03-25T06:08:29.621889Z 0 [System] [MY-010931] [Server]
/usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket:
'/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
Thoughts?
RE: DUO token issues
Posted by Sean Hulbert <sh...@securitycentric.net.INVALID>.
Nevermind,
The guacamole.properties has a trailing white space after the URL
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565
Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!
FedRAMP MIL4 in process
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker
you haven't heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use
of the intended recipient(s). Unauthorized interception, review, use or
disclosure is prohibited and may violate applicable laws including the
Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Sean Hulbert [mailto:shulbert@securitycentric.net.INVALID]
Sent: Saturday, March 25, 2023 12:27 AM
To: user@guacamole.apache.org
Subject: DUO token issues
Hello,
So I have only the DUO Jar in the extensions folder and my
guacamole.properties have the following
mysql-hostname: localhost
mysql-port: 3306
mysql-database: SOMEDB
mysql-username: SOMEUSER
mysql-password: SOMEPASSWORD
mysql-user-password-min-length: 12
mysql-user-password-min-age: 7
mysql-user-password-max-age: 60
mysql-user-password-history-size: 6
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-server-timezone: America/Los_Angeles
totp-issuer: Internal-NAMEHERE
totp-mode: sha512
api-session-timeout: 5
duo-api-hostname: api-xxxxxxx.duosecurity.com
duo-integration-key: CLIENT ID FROM DUO HERE
duo-secret-key: SECRET FROM DUO HERE
duo-application-key: GENERATED ON GUACAMOLE USING PWGEN 40 1
I get this error LOGIN.INFO_DUO_AUTH_REQUIRED
Permissions are set correctly I set it to the as my TOTP jar when it was in
the extension directory.
I did change MySQL daemon to use loopback on both bind-address and
mysqlx-bind-address, could this be an issue?
LOGS:
localhost_access_log.2023-03-25.txt
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql/connectionGroups/ROOT/tree HTTP/1.1" 200 1188
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200
248
127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/users/USERACCOUNTHERE HTTP/1.1" 200 380
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396
127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2
127.0.0.1 - - [25/Mar/2023:00:18:01 -0700] "DELETE /duo/api/session
HTTP/1.1" 403 192
127.0.0.1 - - [25/Mar/2023:00:18:02 -0700] "POST /duo/api/tokens HTTP/1.1"
403 257
127.0.0.1 - - [25/Mar/2023:00:18:18 -0700] "POST /duo/api/tokens HTTP/1.1"
403 616
127.0.0.1 - - [25/Mar/2023:00:18:23 -0700] "POST /duo/api/tokens HTTP/1.1"
400 201
catalina.out
[2023-03-24 23:59:35] [info] 23:59:35.793 [main] INFO
o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
[2023-03-24 23:59:37] [info] 23:59:37.574 [main] WARN
o.g.jersey.server.wadl.WadlFeature - JAXBContext implementation could not be
found. WADL feature is disabled.
[2023-03-24 23:59:38] [info] Deployment of web application archive
[/var/lib/tomcat9/webapps/duo.war] has finished in [13,607] ms
[2023-03-24 23:59:38] [info] Deploying web application directory
[/var/lib/tomcat9/webapps/ROOT]
[2023-03-24 23:59:39] [info] At least one JAR was scanned for TLDs yet
contained no TLDs. Enable debug logging for this logger for a complete list
of JARs that were scanned but no TLDs were found in them. Skipping unneeded
JARs during scanning can improve startup time and JSP compilation time.
[2023-03-24 23:59:39] [info] Deployment of web application directory
[/var/lib/tomcat9/webapps/ROOT] has finished in [1,450] ms
[2023-03-24 23:59:39] [info] Starting ProtocolHandler ["http-nio-8080"]
[2023-03-24 23:59:39] [info] Server startup in [15347] milliseconds
[2023-03-24 23:59:40] [info] Loading class `com.mysql.jdbc.Driver'. This is
deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver
is automatically registered via the SPI and manual loading of the driver
class is generally unnecessary.
[2023-03-25 00:00:01] [info] 00:00:01.456 [http-nio-8080-exec-8] INFO
o.a.g.r.auth.AuthenticationService - User "USERACCOUNTHERE" successfully
authenticated from [172.16.8.2, 127.0.0.1].
guac_access.log
172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200
248 "http://internal2.domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET
/duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2
"http://internal2. domainname.net/duo/
<http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/users/USERACCOUNT HTTP/1.1" 200 380
"http://internal2. domainname.net/duo/
<http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2
"http://internal2. domainname.net/duo/
<http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET
/duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396
"http://internal2. domainname.net/duo/
<http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36"
error.log
2023-03-25T06:04:55.313186Z 0 [System] [MY-010931] [Server]
/usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket:
'/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
2023-03-25T06:08:26.630978Z 0 [System] [MY-013172] [Server] Received
SHUTDOWN from user <via user signal>. Shutting down mysqld (Version:
8.0.32).
2023-03-25T06:08:27.653730Z 0 [System] [MY-010910] [Server]
/usr/sbin/mysqld: Shutdown complete (mysqld 8.0.32) MySQL Community Server
- GPL.
2023-03-25T06:08:28.254101Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld
(mysqld 8.0.32) starting as process 1127
2023-03-25T06:08:28.280025Z 1 [System] [MY-013576] [InnoDB] InnoDB
initialization has started.
2023-03-25T06:08:28.929874Z 1 [System] [MY-013577] [InnoDB] InnoDB
initialization has ended.
2023-03-25T06:08:29.491066Z 0 [Warning] [MY-010068] [Server] CA certificate
ca.pem is self signed.
2023-03-25T06:08:29.491304Z 0 [System] [MY-013602] [Server] Channel
mysql_main configured to support TLS. Encrypted connections are now
supported for this channel.
2023-03-25T06:08:29.621014Z 0 [System] [MY-011323] [Server] X Plugin ready
for connections. Bind-address: '127.0.0.1' port: 33060, socket:
/var/run/mysqld/mysqlx.sock
2023-03-25T06:08:29.621889Z 0 [System] [MY-010931] [Server]
/usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket:
'/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
Thoughts?