[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324598#comment-16324598
]
SuperSherpa55 edited comment on GUACAMOLE-96 at 1/12/18 10:25 PM:
------------------------------------------------------------------
I am having similar struggles. It almost works except I get "invalid login"
using the guacadmin account. The latest method I have tried is running this
script
(https://github.com/CountPickering/guac-install/blob/master/guac-install.sh)
that was changed to use the totp branch on an ubuntu 16.04 base install I get
the following errors in the catalina.out:
The error is "WARN o.a.g.e.AuthenticationProviderFacade - Authentication
attempt denied because the authentication system could not be loaded."
which leads to "WARNING: Method [public void
org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.add(org.apache.guacamole.net.auth.Identifiable)
throws org.apache.guacamole.GuacamoleException] is synthetic and is being
intercepted by
[org.mybatis.guice.transactional.TransactionalMethodInterceptor@78f727ef]. This
could indicate a bug. The method may be intercepted twice, or may not be
intercepted at all."
There may be some confusion on which extensions to use. Do I use both the
guacamole-auth-jdbc-mysql and guacamole-auth-totp in the extensions
directories? Are changes needed to the guacamole.properties file in order to
use totp?
Another way I have tried is using a known working installation of 0.9.13 and
separately compiling using the totp repo and then replacing the client
guaclome.war file in webapps and the guacamole-auth-top.jar in to the
extensions folder afterwards restarting tomcat and guacd with no avail, invalid
login with guacadmin.
Also tried with a working install, stopped guacd and tomcat, then moved the
complied client guacamole.war and guacamole-auth-top.jar files over, deleting
and recreating the guac database and user, re-importing the .sql schemes, and
then starting the services, also with no avail. All have the same invalid
login issue. Any ideas?
P.S. Great work [~mike.jumper] on the totp extension and [~ljruiten] for the
initial ticket! Very exciting stuff. Once I am able to get it working, just
know there will be a happy dance conducted in your honors.
was (Author: supersherpa55):
I am having similar struggles. It almost works except I get "invalid login"
using the guacadmin account. The latest method I have tried is running this
script
(https://github.com/CountPickering/guac-install/blob/master/guac-install.sh)
that was changed to use the totp branch on an ubuntu 16.04 base install I get
the following errors in the catalina.out:
The error is "WARN o.a.g.e.AuthenticationProviderFacade - Authentication
attempt denied because the authentication system could not be loaded."
which leads to "WARNING: Method [public void
org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.add(org.apache.guacamole.net.auth.Identifiable)
throws org.apache.guacamole.GuacamoleException] is synthetic and is being
intercepted by
[org.mybatis.guice.transactional.TransactionalMethodInterceptor@78f727ef]. This
could indicate a bug. The method may be intercepted twice, or may not be
intercepted at all."
There may be some confusion on which extensions to use. Do I use both the
guacamole-auth-jdbc-mysql and guacamole-auth-totp in the extensions
directories? Are changes needed to the guacamole.properties file in order to
use totp?
Another way I have tried is using a known working installation of 0.9.13 and
separately compiling using the totp repo and then replacing the client
guaclome.war file in webapps and the guacamole-auth-top.jar in to the
extensions folder afterwards restarting tomcat and guacd with no avail, invalid
login with guacadmin.
Also tried with a working install, stopped guacd and tomcat, then moved the
complied client guacamole.war and guacamole-auth-top.jar files over, deleting
and recreating the guac database and user, re-importing the .sql schemes, and
then starting the services, also with no avail. All have the same invalid
login issue. Any ideas?
P.S. Great work [~mike.jumper] on the totp extension and [~ljruiten] for the
initial ticket! Very exciting stuff!!!
> Two factor authentication with Google Authenticator
> ---------------------------------------------------
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
> Reporter: L.J. van Ruiten
> Assignee: Michael Jumper
> Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
