You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Kalle Jääskeläinen <ka...@gmail.com> on 2018/04/15 08:37:34 UTC
Topt Google Authenticator gives "Verification failed. Please try
again."
Hi all,
I compiled the latest and greatest server and client yesterday from master to try out google auth topt extension.
I got everything working great (first time I built it from source) to a point where I login using password, get a QR code for new account get “Apache Guacamole (topttest (or guacadmin)) entry to the Google Authenticator (android) application with changing code, but when I enter it, it just keeps on saying "Verification failed. Please try again.”
Both topttest (normal account with only change password permission) and guacadmin has the same behavior.
If I take topt extension out, the users (topttest, guacadmin) can access ok using just the password.
I’m using mySQL, schema etc built using the scripts I got from master.
After failed login attempts (tried both topttest and guacadmin) mySQL shows
mysql> SELECT * FROM guacamole_user_attribute;
+---------+-------------------------+----------------------------------+
| user_id | attribute_name | attribute_value |
+---------+-------------------------+----------------------------------+
| 1 | guac-totp-key-confirmed | false |
| 1 | guac-totp-key-secret | XXVBQ3HTHLJMXRNPMD57ZIZG2ZIN2U43 |
| 5 | guac-totp-key-confirmed | false |
| 5 | guac-totp-key-secret | YAKJNQMMZKY2MVIVCGSV6TMXLOUD2VIR |
+---------+-------------------------+----------------------------------+
4 rows in set (0.00 sec)
mysql> SELECT * FROM guacamole_user;
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
| user_id | username | password_hash | password_salt | password_date | disabled | expired | access_window_start | access_window_end | valid_from | valid_until | timezone | full_name | email_address | organization | organizational_role |
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
| 1 | guacadmin | ?E?}IN;?$???u?Ul??,-}?c;?J)?A` | ?$???+%(???zy?B??`d?iųw??"d | 2018-04-15 07:21:55 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
??W~v??YD??'?GG;F??n-? | 2018-04-15 10:36:21 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
| 5 | topttest | ??e
??wG?x?v? ?F??mT=A??w?" | ?BۘF;?f??xk???i???P?m\f? | 2018-04-15 10:54:14 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
3 rows in set (0.00 sec)
mysql> SELECT * FROM guacamole_user_permission;
+---------+------------------+------------+
| user_id | affected_user_id | permission |
+---------+------------------+------------+
| 1 | 1 | READ |
| 1 | 1 | UPDATE |
| 1 | 1 | ADMINISTER |
| 1 | 4 | READ |
| 1 | 4 | UPDATE |
| 1 | 4 | DELETE |
| 1 | 4 | ADMINISTER |
| 4 | 4 | READ |
| 4 | 4 | UPDATE |
| 1 | 5 | READ |
| 1 | 5 | UPDATE |
| 1 | 5 | DELETE |
| 1 | 5 | ADMINISTER |
| 5 | 5 | READ |
| 5 | 5 | UPDATE |
+---------+------------------+------------+
15 rows in set (0.01 sec)
Tomcat logs show only:
Sun Apr 15 11:02:17 EEST 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/ HTTP/1.1" 304 -
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.css?v=0.9.14 HTTP/1.1" 200 49878
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.js?v=0.9.14 HTTP/1.1" 200 304771
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/languages HTTP/1.1" 200 151
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/translations/en.json HTTP/1.1" 200 37198
192.168.100.11 - - [15/Apr/2018:11:02:18 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
==> catalina.out <==
11:02:30.987 [http-bio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:02:31 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 1433
==> catalina.out <==
11:03:00.822 [http-bio-8080-exec-9] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:03:00 +0300] "POST /guacamole/api/tokens HTTP/1.1" 400 188
Permissions of the extension are the same as with jdbc, and the other stuff built using the 0.9.14 manual.
I have not added any topt specific things to guacamole.properties.
What could be the issue, what to check? Have I missed a step somewhere?
Thanks for your help.
— kalle
Re: Topt Google Authenticator gives "Verification failed. Please try
again."
Posted by Kalle Jääskeläinen <ka...@gmail.com>.
Ignore my las mail. Now it all works.
No idea why though. Maybe the clock of the VM was off or something,
> On 15 Apr 2018, at 11.37, Kalle Jääskeläinen <ka...@gmail.com> wrote:
>
> Hi all,
>
> I compiled the latest and greatest server and client yesterday from master to try out google auth topt extension.
>
> I got everything working great (first time I built it from source) to a point where I login using password, get a QR code for new account get “Apache Guacamole (topttest (or guacadmin)) entry to the Google Authenticator (android) application with changing code, but when I enter it, it just keeps on saying "Verification failed. Please try again.”
> Both topttest (normal account with only change password permission) and guacadmin has the same behavior.
>
> If I take topt extension out, the users (topttest, guacadmin) can access ok using just the password.
>
> I’m using mySQL, schema etc built using the scripts I got from master.
>
> After failed login attempts (tried both topttest and guacadmin) mySQL shows
>
> mysql> SELECT * FROM guacamole_user_attribute;
> +---------+-------------------------+----------------------------------+
> | user_id | attribute_name | attribute_value |
> +---------+-------------------------+----------------------------------+
> | 1 | guac-totp-key-confirmed | false |
> | 1 | guac-totp-key-secret | XXVBQ3HTHLJMXRNPMD57ZIZG2ZIN2U43 |
> | 5 | guac-totp-key-confirmed | false |
> | 5 | guac-totp-key-secret | YAKJNQMMZKY2MVIVCGSV6TMXLOUD2VIR |
> +---------+-------------------------+----------------------------------+
> 4 rows in set (0.00 sec)
>
> mysql> SELECT * FROM guacamole_user;
> +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
> | user_id | username | password_hash | password_salt | password_date | disabled | expired | access_window_start | access_window_end | valid_from | valid_until | timezone | full_name | email_address | organization | organizational_role |
> +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
> | 1 | guacadmin | ?E?}IN;?$???u?Ul??,-}?c;?J)?A` | ?$???+%(???zy?B??`d?iųw??"d | 2018-04-15 07:21:55 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
> ??W~v??YD??'?GG;F??n-? | 2018-04-15 10:36:21 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
> | 5 | topttest | ??e
> ??wG?x?v? ?F??mT=A??w?" | ?BۘF;?f??xk???i???P?m\f? | 2018-04-15 10:54:14 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
> +---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
> 3 rows in set (0.00 sec)
>
> mysql> SELECT * FROM guacamole_user_permission;
> +---------+------------------+------------+
> | user_id | affected_user_id | permission |
> +---------+------------------+------------+
> | 1 | 1 | READ |
> | 1 | 1 | UPDATE |
> | 1 | 1 | ADMINISTER |
> | 1 | 4 | READ |
> | 1 | 4 | UPDATE |
> | 1 | 4 | DELETE |
> | 1 | 4 | ADMINISTER |
> | 4 | 4 | READ |
> | 4 | 4 | UPDATE |
> | 1 | 5 | READ |
> | 1 | 5 | UPDATE |
> | 1 | 5 | DELETE |
> | 1 | 5 | ADMINISTER |
> | 5 | 5 | READ |
> | 5 | 5 | UPDATE |
> +---------+------------------+------------+
> 15 rows in set (0.01 sec)
>
>
>
> Tomcat logs show only:
> Sun Apr 15 11:02:17 EEST 2018 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
>
> ==> localhost_access_log.2018-04-15.txt <==
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/ HTTP/1.1" 304 -
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.css?v=0.9.14 HTTP/1.1" 200 49878
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.js?v=0.9.14 HTTP/1.1" 200 304771
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/languages HTTP/1.1" 200 151
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/patches HTTP/1.1" 200 352
> 192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/translations/en.json HTTP/1.1" 200 37198
> 192.168.100.11 - - [15/Apr/2018:11:02:18 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
>
> ==> catalina.out <==
> 11:02:30.987 [http-bio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11.
>
> ==> localhost_access_log.2018-04-15.txt <==
> 192.168.100.11 - - [15/Apr/2018:11:02:31 +0300] "POST /guacamole/api/tokens HTTP/1.1" 403 1433
>
> ==> catalina.out <==
> 11:03:00.822 [http-bio-8080-exec-9] INFO o.a.g.r.auth.AuthenticationService - User "topttest" successfully authenticated from 192.168.100.11.
>
> ==> localhost_access_log.2018-04-15.txt <==
> 192.168.100.11 - - [15/Apr/2018:11:03:00 +0300] "POST /guacamole/api/tokens HTTP/1.1" 400 188
>
>
>
> Permissions of the extension are the same as with jdbc, and the other stuff built using the 0.9.14 manual.
> I have not added any topt specific things to guacamole.properties.
>
> What could be the issue, what to check? Have I missed a step somewhere?
>
> Thanks for your help.
>
> — kalle
>
>
>
>
>