Replacing Server = TOTP not working.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Replacing Server = TOTP not working.

DCWNZ
Hi All,
Would appreciate some help if possible, ive spent two days trying to figure
this one out.

Currently we have a 1.2.0 instance. Remote Mysql DB (Cluster). LDAP & TOTP
working perfectly.
Im wanting to move the Guacamole components to a new server (Leaving the DB
alone). Both Servers are Ubuntu 20.04.1.

So, ive created a new server. Installed all the same 1.2.0 components.
Pointed it at my DB. User login's work as expected, all connections work
fine.
However, TOTP refuses to work. get nothing but the infamous "Verification
Failed" response.

So, heres what ive tried so far on the new Server:
- Cleared TOTP Key/Secret for several users, tested all = Same Error;
- Created a new DB on the Cluster & Tested = Same Error.
- Downgraded to 1.1.0 & tested with 1.2.0 DB = Same Error
- Downgraded to 1.1.0 and tested new 1.1.0 DB = Same Error.
- Tested different mysql connectors, old server has 8.0.20, tried several
vesions on new server, All = Same Error.
- Built a brand new Ubuntu 20.04 Server, installed 1.2.0 following all the
normal documentation, created a brand new 1.2.0 Mysql DB, run .sql scripts,
connected to LDAP, = Works, until i add TOTP, then = Same Error
- Installed SAML & configured with Azure - Works, however cant connect to
any Windows based servers using ${GUAC_USERNAME} & {GUAC_PASSWORD}
variables, no matter what my claims are. Figure the SAML & LDAP modules dont
like each other or the SAML claims arent getting passed through correctly
despite confiming the correct user values are being supplied in the Response
XML. Our Servers are NOT Azure joined yet.

Before anyone suggests, I clear browser cache/cookies between all tests,
have tested every browser known to man and incognito modes to no avail. Ive
test 7 different MFA Apps, all produce the same error.
Tested all different versions of SHA modes, all = Same Error.
DB User is the same on all DB's, Has been granted full permissions on each
DB.


Why was I able to get TOTP working (with mysql & LDAP) previously, but not
now?
What am I missing? Is there some dependency that ive missed somewhere??

Any help would be appreciated,




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Replacing Server = TOTP not working.

mjumper
Administrator
On Tue, Oct 6, 2020, 20:23 DCWNZ <[hidden email]> wrote:
...

So, ive created a new server. Installed all the same 1.2.0 components.
Pointed it at my DB. User login's work as expected, all connections work
fine.
However, TOTP refuses to work. get nothing but the infamous "Verification
Failed" response.

Check whether your server's clock is out of sync.

- Mike

Reply | Threaded
Open this post in threaded view
|

RE: Replacing Server = TOTP not working.

J.T. Moore
In reply to this post by DCWNZ
On Tue, Oct 6, 2020, 20:23 DCWNZ <[hidden email] <mailto:[hidden email]> > wrote:

        ...
       
        So, ive created a new server. Installed all the same 1.2.0 components.
        Pointed it at my DB. User login's work as expected, all connections work
        fine.
        However, TOTP refuses to work. get nothing but the infamous "Verification
        Failed" response.

Doug,

I ran into a similar issue with the TOTP module and MariaDB, but in my case I was able to work around the issue by switching the database to MySQL 8.0.21, so it probably isn't the same problem. However, if you are willing to try compiling the guacamole client from source, I have created a modified UserVerificationService.java that includes some additional debug logging for the TOTP module that may be helpful to further diagnose the issue.

Please see https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1187 for more details about the issue I encountered and the modified UserVerificationService.java Is available in the attachment section.

Instructions for downloading the guacamole client source from git and compiling it are available at https://guacamole.apache.org/doc/gug/installing-guacamole.html
Before running mvn package, you'll want to replace extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java in the downloaded source with the file attached to the Jira report.

You also need to set the guacamole client logging level to debug as documented at https://guacamole.apache.org/doc/1.2.0/gug/configuring-guacamole.html#webapp-logging before starting/restarting Tomcat or the web application container.

Then you should see some additional messages in catalina.out during TOTP enrollment  and verification.

Hope that helps,

JT



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Replacing Server = TOTP not working.

mjumper
Administrator
On Wed, Oct 7, 2020, 10:48 J.T. Moore <[hidden email]> wrote:
On Tue, Oct 6, 2020, 20:23 DCWNZ <[hidden email] <mailto:[hidden email]> > wrote:

        ...

        So, ive created a new server. Installed all the same 1.2.0 components.
        Pointed it at my DB. User login's work as expected, all connections work
        fine.
        However, TOTP refuses to work. get nothing but the infamous "Verification
        Failed" response.

Doug,

I ran into a similar issue with the TOTP module and MariaDB, but in my case I was able to work around the issue by switching the database to MySQL 8.0.21, so it probably isn't the same problem. However, if you are willing to try compiling the guacamole client from source, I have created a modified UserVerificationService.java that includes some additional debug logging for the TOTP module that may be helpful to further diagnose the issue.

Please see https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1187 ...

JT, I strongly suspect the change in database is a red herring regarding the issue you encountered. The difference between MySQL and MariaDB should be opaque to Guacamole, or at least not so specific that it would affect only storage of TOTP attributes.

- Mike

Reply | Threaded
Open this post in threaded view
|

RE: Replacing Server = TOTP not working.

J.T. Moore

On Wed, Oct 7, 2020, 10:48 J.T. Moore <[hidden email]> wrote:

On Tue, Oct 6, 2020, 20:23 DCWNZ <[hidden email] <mailto:[hidden email]> > wrote:

        ...

        So, ive created a new server. Installed all the same 1.2.0 components.
        Pointed it at my DB. User login's work as expected, all connections work
        fine.
        However, TOTP refuses to work. get nothing but the infamous "Verification
        Failed" response.

Doug,

I ran into a similar issue with the TOTP module and MariaDB, but in my case I was able to work around the issue by switching the database to MySQL 8.0.21, so it probably isn't the same problem. However, if you are willing to try compiling the guacamole client from source, I have created a modified UserVerificationService.java that includes some additional debug logging for the TOTP module that may be helpful to further diagnose the issue.

Please see https://issues.apache.org/jira/projects/GUACAMOLE/issues/GUACAMOLE-1187 ...

 

JT, I strongly suspect the change in database is a red herring regarding the issue you encountered. The difference between MySQL and MariaDB should be opaque to Guacamole, or at least not so specific that it would affect only storage of TOTP attributes.

 

- Mike

 

Mike,

 

Those were my thoughts too, however, changing the database was the only difference between TOTP working and not working in my environment. I had tried numerous things to get it working with MariaDB before doing that . With MariaDB, I could see guacamole successfully creating the record for the secret in guacamole_user_attribute table for the user id during the initial enrollment step but when guacamole went to retrieve the secret to generate the token for verification, it did not find the record in the database so it created a new one which could not generate a token matching the user’s input. Additionally, when the new secret was created, it would overwrite existing records for the user’s secret in the guacamole_user_attribute table.

 

JT

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Replacing Server = TOTP not working.

DCWNZ
In reply to this post by mjumper
This turned out to be the issue.

Despite all servers set to use NTP and I swear I checked it before the NEW
server was ~1 minute out of sync with the others.

Problem Solved.

Now I feel extra stupid and wasted ~ 8 hours troubleshooting. Should have
come here for the sanity check earlier.

Cheers guys! Thanks for the fast reply!



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Replacing Server = TOTP not working.

Gerardo
In reply to this post by DCWNZ
all the OTPs problems can be logged in to  the  tomcat log so,

can you post the catalina.out error when you try to login?

looks like time out of sync.   if your DB works before its ok now.

just as suggestion ... compile the OTP extension in the new box.

Regards



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Replacing Server = TOTP not working.

J.T. Moore
In reply to this post by DCWNZ

-----Original Message-----
From: DCWNZ <[hidden email]>
Sent: Wednesday, October 7, 2020 3:46 PM
To: [hidden email]
Subject: Re: Replacing Server = TOTP not working.

 

This turned out to be the issue.

 

Despite all servers set to use NTP and I swear I checked it before the NEW server was ~1 minute out of sync with the others.

 

Problem Solved.

 

Now I feel extra stupid and wasted ~ 8 hours troubleshooting. Should have come here for the sanity check earlier.

 

Cheers guys! Thanks for the fast reply!

 

 

Doug,

Glad that worked out for you. That is a different issue than I was seeing with MariaDB where Guacamole wasn’t even retrieving the previously saved secret from the database during the verification process.

 

Gerado,

 

The TOTP module is capable of sending log output to the Tomcat catalina.out log, however the official module does not generate sufficient log entries either when an existing secret isn’t found or the generated tokens don’t match. At a minimum adding warn level log entries for those events would be helpful and some additional debug level messages showing the actual values of the secret used (or at least the last few characters for improved security) and generated tokens used during the verification process would be helpful to confirm  the issue.

 

JT