You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by Murat BÜLBÜL <1m...@gmail.com> on 2020/07/11 11:31:39 UTC
TOTP
Hi,
I hope you are doing well.
Is there any problem with TOTP 1.2.0? In my environment, there are two
different containers, mysql and guacamole. OTP code does not match even if
system and containers' time are the same.
I did not catch any errors even after debug mode was enabled. Any idea? Is
this java timezone issue?
admin> docker exec -it mysql date
Sat Jul 11 14:24:05 +03 2020
admin> docker exec -it guacamole date
Sat Jul 11 14:24:06 +03 2020
admin> date
Cts Tem 11 14:24:07 +03 2020
MariaDB [guacamole_db]> select * from guacamole_user_attribute;
+---------+-------------------------+----------------------------------+
| user_id | attribute_name | attribute_value |
+---------+-------------------------+----------------------------------+
| 1 | guac-totp-key-confirmed | false |
| 1 | guac-totp-key-secret | A63XG45HXMUGZBF2YNBEM4MYVQHYLJFU |
| 2 | guac-totp-key-confirmed | false |
| 2 | guac-totp-key-secret | R2OZG6LBTOHHZWOMCAKPLOO5KSWPRUVK |
+---------+-------------------------+----------------------------------+
14:23:13.398 [https-openssl-nio-8443-exec-5] INFO
o.a.g.r.auth.AuthenticationService
- User "test" successfully authenticated from 10.100.100.1.
14:23:28.140 [https-openssl-nio-8443-exec-3] INFO
o.a.g.r.auth.AuthenticationService
- User "test" successfully authenticated from 10.100.100.1.
--
Murat BÜLBÜL
Re: TOTP
Posted by Murat BÜLBÜL <1m...@gmail.com>.
Ok Mike. Thank you for the clarification.
On 12 Jul 2020 Sun at 00:45 Mike Jumper <mj...@apache.org> wrote:
> Reading through the TOTP extension code, I see the "totp-period" property
> value used only to affect code invalidation, with code generation always
> using the default value of 30:
>
>
> https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java#L272-L274
> <
> https://github.com/apache/guacamole-client/blob/33fa0033d20d2d735f858ef0d822a7a219080c5f/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java#L272-L274
> >
>
>
> https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/totp/TOTPGenerator.java#L278-L281
>
> That behavior is likely a bug, however Google Authenticator is currently
> documented as ignoring the period value and always assuming 30:
>
> https://github.com/google/google-authenticator/wiki/Key-Uri-Format
>
> Assuming this is still the case, I would expect Google Authenticator to
> currently work (as the extension behavior will effectively ignore the
> period), and to stop working as soon as the overridden period is taken into
> account for code generation (as Google Authenticator would no longer
> generate the same codes). I can confirm that Google Authenticator does
> appear to assume 30 regardless of the period within the QR code, at least
> on Android.
>
> Overall:
>
> 1) This is probably a bug and should be fixed.
> 2) If any of your users will use Google Authenticator, you shouldn't
> override the defaults.
>
> - Mike
>
> On Sat, Jul 11, 2020 at 2:08 PM Murat BÜLBÜL <1m...@gmail.com>
> wrote:
>
> > Hi Mike,
> >
> > I am using MacBook Air. My test phone is Iphone8 plus. I issued QR with
> > both GoogleAuthenticator and YAKey. Both generates the same result.
> >
> > Murat
> >
> >
> > On 11 Jul 2020 Sat at 23:40 Mike Jumper <mj...@apache.org> wrote:
> >
> > > On Sat, Jul 11, 2020, 10:56 Murat BÜLBÜL <1m...@gmail.com>
> > wrote:
> > >
> > > > I found the reason and it is interesting. Only 30 seconds is
> generating
> > > > valid code. No successful result for below other cases.
> > > >
> > > > totp-period: 31 : not working
> > > >
> > > > totp-period: 60 : not working
> > > >
> > > > *totp-period: 30 : working*
> > > >
> > > > totp-period: 20 : not working
> > > >
> > >
> > > Are you sure your authentication device supports periods other than 30?
> > >
> > > - Mike
> > >
> > --
> > Murat BÜLBÜL
> >
>
--
Murat BÜLBÜL
Re: TOTP
Posted by Mike Jumper <mj...@apache.org>.
Reading through the TOTP extension code, I see the "totp-period" property
value used only to affect code invalidation, with code generation always
using the default value of 30:
https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java#L272-L274
<https://github.com/apache/guacamole-client/blob/33fa0033d20d2d735f858ef0d822a7a219080c5f/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java#L272-L274>
https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/totp/TOTPGenerator.java#L278-L281
That behavior is likely a bug, however Google Authenticator is currently
documented as ignoring the period value and always assuming 30:
https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Assuming this is still the case, I would expect Google Authenticator to
currently work (as the extension behavior will effectively ignore the
period), and to stop working as soon as the overridden period is taken into
account for code generation (as Google Authenticator would no longer
generate the same codes). I can confirm that Google Authenticator does
appear to assume 30 regardless of the period within the QR code, at least
on Android.
Overall:
1) This is probably a bug and should be fixed.
2) If any of your users will use Google Authenticator, you shouldn't
override the defaults.
- Mike
On Sat, Jul 11, 2020 at 2:08 PM Murat BÜLBÜL <1m...@gmail.com>
wrote:
> Hi Mike,
>
> I am using MacBook Air. My test phone is Iphone8 plus. I issued QR with
> both GoogleAuthenticator and YAKey. Both generates the same result.
>
> Murat
>
>
> On 11 Jul 2020 Sat at 23:40 Mike Jumper <mj...@apache.org> wrote:
>
> > On Sat, Jul 11, 2020, 10:56 Murat BÜLBÜL <1m...@gmail.com>
> wrote:
> >
> > > I found the reason and it is interesting. Only 30 seconds is generating
> > > valid code. No successful result for below other cases.
> > >
> > > totp-period: 31 : not working
> > >
> > > totp-period: 60 : not working
> > >
> > > *totp-period: 30 : working*
> > >
> > > totp-period: 20 : not working
> > >
> >
> > Are you sure your authentication device supports periods other than 30?
> >
> > - Mike
> >
> --
> Murat BÜLBÜL
>
Re: TOTP
Posted by Murat BÜLBÜL <1m...@gmail.com>.
Hi Mike,
I am using MacBook Air. My test phone is Iphone8 plus. I issued QR with
both GoogleAuthenticator and YAKey. Both generates the same result.
Murat
On 11 Jul 2020 Sat at 23:40 Mike Jumper <mj...@apache.org> wrote:
> On Sat, Jul 11, 2020, 10:56 Murat BÜLBÜL <1m...@gmail.com> wrote:
>
> > I found the reason and it is interesting. Only 30 seconds is generating
> > valid code. No successful result for below other cases.
> >
> > totp-period: 31 : not working
> >
> > totp-period: 60 : not working
> >
> > *totp-period: 30 : working*
> >
> > totp-period: 20 : not working
> >
>
> Are you sure your authentication device supports periods other than 30?
>
> - Mike
>
--
Murat BÜLBÜL
Re: TOTP
Posted by Mike Jumper <mj...@apache.org>.
On Sat, Jul 11, 2020, 10:56 Murat BÜLBÜL <1m...@gmail.com> wrote:
> I found the reason and it is interesting. Only 30 seconds is generating
> valid code. No successful result for below other cases.
>
> totp-period: 31 : not working
>
> totp-period: 60 : not working
>
> *totp-period: 30 : working*
>
> totp-period: 20 : not working
>
Are you sure your authentication device supports periods other than 30?
- Mike
Re: TOTP
Posted by Murat BÜLBÜL <1m...@gmail.com>.
I found the reason and it is interesting. Only 30 seconds is generating
valid code. No successful result for below other cases.
totp-period: 31 : not working
totp-period: 60 : not working
*totp-period: 30 : working*
totp-period: 20 : not working
Murat BÜLBÜL <1m...@gmail.com>, 11 Tem 2020 Cmt, 14:31 tarihinde
şunu yazdı:
> Hi,
>
> I hope you are doing well.
>
> Is there any problem with TOTP 1.2.0? In my environment, there are two
> different containers, mysql and guacamole. OTP code does not match even if
> system and containers' time are the same.
>
> I did not catch any errors even after debug mode was enabled. Any idea? Is
> this java timezone issue?
>
> admin> docker exec -it mysql date
>
> Sat Jul 11 14:24:05 +03 2020
>
> admin> docker exec -it guacamole date
>
> Sat Jul 11 14:24:06 +03 2020
>
> admin> date
>
> Cts Tem 11 14:24:07 +03 2020
>
> MariaDB [guacamole_db]> select * from guacamole_user_attribute;
>
> +---------+-------------------------+----------------------------------+
>
> | user_id | attribute_name | attribute_value |
>
> +---------+-------------------------+----------------------------------+
>
> | 1 | guac-totp-key-confirmed | false |
>
> | 1 | guac-totp-key-secret | A63XG45HXMUGZBF2YNBEM4MYVQHYLJFU |
>
> | 2 | guac-totp-key-confirmed | false |
>
> | 2 | guac-totp-key-secret | R2OZG6LBTOHHZWOMCAKPLOO5KSWPRUVK |
>
> +---------+-------------------------+----------------------------------+
>
>
>
> 14:23:13.398 [https-openssl-nio-8443-exec-5] INFO o.a.g.r.auth.AuthenticationService
> - User "test" successfully authenticated from 10.100.100.1.
>
> 14:23:28.140 [https-openssl-nio-8443-exec-3] INFO o.a.g.r.auth.AuthenticationService
> - User "test" successfully authenticated from 10.100.100.1.
>
> --
>
> Murat BÜLBÜL
>
>
--
Murat BÜLBÜL
Presales Engineer