You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Connor Norris (Jira)" <ji...@apache.org> on 2022/10/01 04:56:00 UTC
[jira] [Commented] (GUACAMOLE-1691) Reproduceable bug: TOTP incompatible with 'expire password' checkbox
[ https://issues.apache.org/jira/browse/GUACAMOLE-1691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611821#comment-17611821 ]
Connor Norris commented on GUACAMOLE-1691:
------------------------------------------
[~mjumper] ah man, that makes perfect sense. Thanks a ton for the reply, I'll find a different way to accomplish it. I could have sworn these two were working together in previous builds (1.3?) but I wouldn't be surprised if I just ignored it at the time.
Well, there were no results on the ol' google for totp and password expiration conflicting - so hopefully this ticket makes its way to the search engine and helps a few others not go down the rabbit hole of checking all the password hashes and comparing before and afters etc, etc haha. If getting password expiration and TOTP working in tandem isn't on the roadmap definitely feel free to close this ticket out!
As a side note, Guac has been fantastic to work with and setup - xrdp on linux hosts with pulseaudio passthrough, amazing stuff. Thanks for all y'all do.
Maybe a warning about TOTP and password expiration should be added to the docs here [TOTP two-factor authentication — Apache Guacamole Manual v1.4.0|https://guacamole.apache.org/doc/gug/totp-auth.html]
Thanks again!
> Reproduceable bug: TOTP incompatible with 'expire password' checkbox
> --------------------------------------------------------------------
>
> Key: GUACAMOLE-1691
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1691
> Project: Guacamole
> Issue Type: Bug
> Environment: Current envrionment:
> - Ubuntu 20.04.5 LTS Server
> - Guacamole server 1.4.0
> - guacamole-auth-jdbc-1.4.0
> - mysql-connector-java-8.0.30
> - guacamole-server-1.4.0
> - 10.3.34-MariaDB-0ubuntu0.20.04.1
> ## (i've tried many more as well, see 'things i've tried' below)
> Reporter: Connor Norris
> Priority: Major
>
> Hello avocado enthusiasts,
> I believe i've discovered a bug - i've spent the past 5 days inadvertently finding every environment its reproduceable in while trying to avoid it. This was not an issue around ~6 months ago when I last used guacamole, but it is now... maybe
> It would seem that TOTP is very specifically incompatible with the "expire password" checkbox in the Guac GUI.
> I have reached pretty much the full extent of my ability to debug this, and have tried... a lot... of different fixes and installation methods. Some pointers to a relevant log file with more verbosity would be incredibly useful! I'll try to format both what i've tried, the relevant logs, and how guac is currently installed below.
> Behavior:
> - On a clean install, the expire password checkbox functions normally. user1 inputs password1, then they are prompted to change their expired password, and they input password2. Password 2 becomes their new password
> - After installing TOTP, then expiring a password, after the user changes password1 to password2 and inputstheir valid 2FA code, the user is sent back to the login screen with 'invalid login' at the top.
> - If user1 enters password1, (or any random password) they get 'invalid login' (expected)
> - if user1 now enters password2, they get 'Verification failed. Please try again.' ... this sorta implies that it KNOWS this is the correct newly updated password, given the error message is only different when entering that one password
> - user1 can no longer login without admin account intervention.
> Other pertinent details:
> - TOTP functions as expected in all other use cases. Clear TOTP and Confirm TOTP both function as expected.
> - The password for user1 can still be set manually by admin accounts
> - The self-serve 'change own password' bit still functions as expected
> - Clearing the TOTP secret while expiring the password in tandem does not solve the issue.
> - granting the user anything from change password, to all permissions and admin has no impact
> - Only the specific combination 'totp' + 'expire-password' seem to be incompatible
> Current environment:
> - Ubuntu 20.04.5 LTS Server
> - Guacamole server 1.4.0
> - guacamole-auth-jdbc-1.4.0
> - mysql-connector-java-8.0.30
> - guacamole-server-1.4.0
> - 10.3.34-MariaDB-0ubuntu0.20.04.1
> (i've tried many more as well, see 'things i've tried' below)
>
> {code:java}
> // /etc/guacamole/guacamole.properties
> ## MySQL properties
> mysql-hostname: 127.0.0.1
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: censored
> ## TOTP properties
> totp-issuer: guacamole
> ## (i've tried not changing the issuer as well{code}
>
> {code:java}
> // catalina.out
> log/var/lib/tomcat9/logs/catalina.out:727:[2022-09-30 20:10:01] [info] 20:10:01.371 [http-nio-8080-exec-8] INFO o.a.g.r.auth.AuthenticationService - User "user1" successfully authenticated from IPaddrX.
> /var/lib/tomcat9/logs/catalina.out:728:[2022-09-30 20:10:01] [info] 20:10:01.373 [http-nio-8080-exec-8] INFO o.a.g.auth.jdbc.user.UserService - Expired password of user "user1" has been reset.
> /var/lib/tomcat9/logs/catalina.out:729:[2022-09-30 20:10:20] [info] 20:10:20.475 [http-nio-8080-exec-7] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from IPaddrX for user "user1" failed
> {code}
>
> {code:java}
> // from the guacamole_db
> // the most interesting/notable thing here, is that the 'change own password' system permission seems to be missing from the user? it is visibly set in the gui. Not sure if that would be a row in system_permission or not.
> [guacamole_db]> select * from guacamole_entity where name=user1\G
> entity_id: 4
> name: user1
> type: USER
> [guacamole_db]> select * from guacamole_system_permission WHERE entity_id=4\G
> 1. row
> entity_id: 4
> permission: CREATE_CONNECTION
> 2. row
> entity_id: 4
> permission: CREATE_CONNECTION_GROUP
> 3. row
> entity_id: 4
> permission: CREATE_SHARING_PROFILE
> 4. row
> entity_id: 4
> permission: CREATE_USER
> 5. row
> entity_id: 4
> permission: CREATE_USER_GROUP
> 6. row
> entity_id: 4
> permission: ADMINISTER
> 6 rows in set (0.000 sec)
>
> [guacamole_db]> select * from guacamole_user_password_history\G
> Empty set (0.000 sec)
> ?? note: password history definitely exists... entering an old password generates and error the old and the new cannot be the same
> [guacamole_db]> select * from guacamole_user_permission WHERE entity_id=4\G
> 1. row
> entity_id: 4
> affected_user_id: 4
> permission: READ
> 2. row
> entity_id: 4
> affected_user_id: 4
> permission: UPDATE
> 2 rows in set (0.000 sec){code}
>
> Things i've tried so far:
> - full wipe, installing guacamole from source as per the apache site instructions
> - installing using docker instead
> - ubuntu 22.04, ubuntu 20.04
> - using mySQL instead of MariaDB
> - adding TOTP before first login
> - adding TOTP after accounts are made
>
> TLDR:
> TOTP and 'expire password' seem to conflict. The most notable thing here is that in the guacamole_system_permission table i was expecting to see a 'change own password' value just like there is in the gui.
> I've tried just about every different database and install method thats supported, all with the same result.
> Please let me know if there is any other data I should share, or if anyone has any ideas.
> Thanks!
> Connor
--
This message was sent by Atlassian Jira
(v8.20.10#820010)