[
https://issues.apache.org/jira/browse/GUACAMOLE-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221953#comment-17221953
]
Mike Jumper commented on GUACAMOLE-1146:
----------------------------------------
>From a [relevant thread on the mailing
>list|http://mail-archives.apache.org/mod_mbox/guacamole-dev/202007.mbox/%3CCALKeL-OGk0Vmz-Kq8ddxCoRyYUXo_-z7x4-UUf8uryTz6TybkA%40mail.gmail.com%3E]:
{quote}
Reading through the TOTP extension code, I see the "totp-period" property value
used only to affect code invalidation, with code generation always using the
default value of 30:
https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java#L272-L274
https://github.com/apache/guacamole-client/blob/3c4c81f0b6b9700abccaefcc695058e515b8b20b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/totp/TOTPGenerator.java#L278-L281
That behavior is likely a bug, however Google Authenticator is currently
documented as ignoring the period value and always assuming 30:
https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Assuming this is still the case, I would expect Google Authenticator to
currently work (as the extension behavior will effectively ignore the period),
and to stop working as soon as the overridden period is taken into account for
code generation (as Google Authenticator would no longer generate the same
codes). I can confirm that Google Authenticator does appear to assume 30
regardless of the period within the QR code, at least on Android.
Overall:
# This is probably a bug and should be fixed.
# If any of your users will use Google Authenticator, you shouldn't override
the defaults.
{quote}
> TOTP authentication fails when totp-period is set
> -------------------------------------------------
>
> Key: GUACAMOLE-1146
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1146
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-totp
> Affects Versions: 1.2.0
> Environment: CentOS Linux release 7.8.2003 (Core)
> Reporter: Benjamin
> Assignee: Mike Jumper
> Priority: Major
> Fix For: 1.3.0
>
>
> After configuring totp-period to 60 authenticating is failing.
> When entering the 6digit code I receive the following error in the Guacamole
> WebUI:
> {quote}Verification failed. Please try again.
> {quote}
> After removing the variable from guacamole.properties and restarting tomcat
> everything started to work fine.
> I am not able to see an error in the logs, it is actually reporting that
> everything is fine:
> {quote}Jul 22 10:16:09 service server: 10:16:09.070 [http-bio-8180-exec-22]
> INFO o.a.g.r.auth.AuthenticationService - User "jerome" successfully
> authenticated from [37.228.140.239, 10.0.0.5].
> {quote}
> Note: Users have the required permissions to update their passwords, it's
> working fine in my environment without configuring this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
