You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Connor Norris (Jira)" <ji...@apache.org> on 2022/09/30 21:20:00 UTC

[jira] [Created] (GUACAMOLE-1691) Reproduceable bug: TOTP incompatible with 'expire password' checkbox

Connor Norris created GUACAMOLE-1691:
----------------------------------------

             Summary: Reproduceable bug: TOTP incompatible with 'expire password' checkbox
                 Key: GUACAMOLE-1691
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1691
             Project: Guacamole
          Issue Type: Bug
         Environment: Current envrionment: 
- Ubuntu 20.04.5 LTS Server
- Guacamole server 1.4.0
- guacamole-auth-jdbc-1.4.0
- mysql-connector-java-8.0.30
- guacamole-server-1.4.0 
- 10.3.34-MariaDB-0ubuntu0.20.04.1 
## (i've tried many more as well, see 'things i've tried' below)
            Reporter: Connor Norris


Hello avocado enthusiasts, 

I believe i've discovered a bug - i've spent the past 5 days inadvertently finding every environment its reproduceable in while trying to avoid it. This was not an issue around ~6 months ago when I last used guacamole, but it is now... maybe 

It would seem that TOTP is very specifically incompatible with the "expire password" checkbox in the Guac GUI. 

I have reached pretty much the full extent of my ability to debug this, and have tried... a lot... of different fixes and installation methods. Some pointers to a relevant log file with more verbosity would be incredibly useful! I'll try to format both what i've tried, the relevant logs, and how guac is currently installed below. 

Behavior:
- On a clean install, the expire password checkbox functions normally. user1 inputs password1, then they are prompted to change their expired password, and they input password2. Password 2 becomes their new password
- After installing TOTP, then expiring a password, after the user changes password1 to password2 and inputstheir valid 2FA code, the user is sent back to the login screen with 'invalid login' at the top.
- If user1 enters password1, (or any random password) they get 'invalid login' (expected)
- if user1 now enters password2, they get 'Verification failed. Please try again.' ... this sorta implies that it KNOWS this is the correct newly updated password, given the error message is only different when entering that one password
- user1 can no longer login without admin account intervention. 

Other pertinent details:
- TOTP functions as expected in all other use cases. Clear TOTP and Confirm TOTP both function as expected. 
- The password for user1 can still be set manually by admin accounts
- The self-serve 'change own password' bit still functions as expected
- Clearing the TOTP secret while expiring the password in tandem does not solve the issue. 
- granting the user anything from change password, to all permissions and admin has no impact
- Only the specific combination 'totp' + 'expire-password' seem to be incompatible


Current environment: 
- Ubuntu 20.04.5 LTS Server
- Guacamole server 1.4.0
- guacamole-auth-jdbc-1.4.0
- mysql-connector-java-8.0.30
- guacamole-server-1.4.0 
- 10.3.34-MariaDB-0ubuntu0.20.04.1 
## (i've tried many more as well, see 'things i've tried' below)

### /etc/guacamole/guacamole.properties

# MySQL properties
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: censored
# TOTP properties
totp-issuer: guacamole 
# (i've tried not changing the issuer as well)


### catalina.out log
/var/lib/tomcat9/logs/catalina.out:727:[2022-09-30 20:10:01] [info] 20:10:01.371 [http-nio-8080-exec-8] INFO  o.a.g.r.auth.AuthenticationService - User "user1" successfully authenticated from IPaddrX.
/var/lib/tomcat9/logs/catalina.out:728:[2022-09-30 20:10:01] [info] 20:10:01.373 [http-nio-8080-exec-8] INFO  o.a.g.auth.jdbc.user.UserService - Expired password of user "user1" has been reset.
/var/lib/tomcat9/logs/catalina.out:729:[2022-09-30 20:10:20] [info] 20:10:20.475 [http-nio-8080-exec-7] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from IPaddrX for user "user1" failed.

### from the guacamole_db

## the most interesting/notable thing here, is that the 'change own password' system permission seems to be missing from the user??? it is visibly set in the gui. Not sure if that would be a row in system_permission or not. 

[guacamole_db]> select * from guacamole_entity where name=user1\G
    entity_id: 4
             name: user1
             type: USER

[guacamole_db]> select * from guacamole_system_permission WHERE entity_id=4\G
    *************************** 1. row ***************************
     entity_id: 4
    permission: CREATE_CONNECTION
    *************************** 2. row ***************************
     entity_id: 4
    permission: CREATE_CONNECTION_GROUP
    *************************** 3. row ***************************
     entity_id: 4
    permission: CREATE_SHARING_PROFILE
    *************************** 4. row ***************************
     entity_id: 4
    permission: CREATE_USER
    *************************** 5. row ***************************
     entity_id: 4
    permission: CREATE_USER_GROUP
    *************************** 6. row ***************************
     entity_id: 4
    permission: ADMINISTER
    6 rows in set (0.000 sec)

 

             
[guacamole_db]> select * from guacamole_user_password_history\G
Empty set (0.000 sec)
## ?????? password history definitely exists... entering an old password generates and error the old and the new cannot be the same

[guacamole_db]> select * from guacamole_user_permission WHERE entity_id=4\G
*************************** 1. row ***************************
       entity_id: 4
affected_user_id: 4
      permission: READ
*************************** 2. row ***************************
       entity_id: 4
affected_user_id: 4
      permission: UPDATE
2 rows in set (0.000 sec)


Things i've tried so far:
- full wipe, installing guacamole from source as per the apache site instructions
- installing using docker instead
- ubuntu 22.04, ubuntu 20.04
- using mySQL instead of MariaDB
- adding TOTP before first login
- adding TOTP after accounts are made

TLDR:
TOTP and 'expire password' seem to conflict. The most notable thing here is that in the guacamole_system_permission table i was expecting to see a 'change own password' value just like there is in the gui. 
I've tried just about every different database and install method thats supported, all with the same result. 
Please let me know if there is any other data I should share, or if anyone has any ideas. 

Thanks! 
Connor



--
This message was sent by Atlassian Jira
(v8.20.10#820010)