[
https://issues.apache.org/jira/browse/GUACAMOLE-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17263842#comment-17263842
]
Nick Couchman commented on GUACAMOLE-1187:
------------------------------------------
[~jtmoore]: Could you please try updating the MariaDB Connector/J to 2.6.2 or
later (available on their site) and see if that works? There was another issue
someone was experiencing with odd results with MariaDB, and they were using a
similar Connector/J version (2.2 or 2.3) - updating to 2.6 seems to have
resolved that issue.
See:
http://mail-archives.apache.org/mod_mbox/guacamole-user/202101.mbox/%3C2039611493.4298164.1610357625520.JavaMail.zimbra%40universite-paris-saclay.fr%3E
> TOTP not working with MariaDB
> -----------------------------
>
> Key: GUACAMOLE-1187
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1187
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-totp
> Affects Versions: 1.2.0
> Environment: Centos 8.2,
> MariaDB Server 10.3.17.1.module_el8.1.0+257+48736ea6,
> MariaDB Java Client 2.2.5.2.el8 (provides MariaDB JDBC jar file),
> Tomcat 9.0.37,
> Guacamole 1.2.0 (server, client, database authentication extension and TOTP
> authentication extension)
> Reporter: J.T. Moore
> Priority: Major
> Attachments: UserVerificationService.java
>
>
> Problem:
> When the TOTP module is installed and MariaDB is used for database
> authentication, no users can complete TOTP enrollment. When a user attempts
> to login the first time after TOTP is enabled, the enrollment QR code is
> displayed as expected and I can see where records for the
> *guac-totp-key-secret=[_new_key_value_]* and *guac-totp-key-confirmed=false*
> attributes are correctly inserted to the guacamole_user_attribute table for
> the user. However, when the user scans the QR code with their authenticator
> app and then provides the correct authentication code, the “verification
> failed” message is always displayed and the user cannot login.
>
> Background:
> MariaDB has replaced MySQL in the official RHEL 8 and Centos 8 repositories.
> Database authentication for Guacamole works as expected when the TOTP module
> is not used and Guacamole is configured to use MariaDB per the instructions
> at [https://guacamole.apache.org/doc/gug/jdbc-auth.html] (i.e. using
> *mysql-driver: mariadb* in guacamole.properties and a link to the MariaDB
> jdbc driver {{in GUACAMOLE_HOME/lib}}). However, the problem described above
> occurs when the TOTP module is then moved into the
> {{GUACAMOLE_HOME}}/extensions folder and Tomcat is restarted.
>
> Initial Analysis:
> I added some debug logging to
> guacamole-client-1.2.0/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
> to gather some more information (see attached UserVerificationService.java
> containing the logging modifications). From that, I found that when the
> getKey() method is called during the authentication step, the *if (secret ==
> null)* condition is always matched. So, a new secret is then generated during
> each attempt verify the authentication code and the existing records in
> guacamole_user_attribute for guac-totp-key-secret and guac-totp-key-confirmed
> for the user are replaced . However, since the user and server are using
> different keys at that point, the generated authentication codes don’t match.
> So, there appears to be a problem retrieving the guac-totp-key-secret
> attribute for the user from the database even though the records can be
> inserted and deleted correctly.
>
> Workaround:
> Replacing MariaDB with MySQL community 8.0.21 (along with setting
> *mysql-driver: mysql* in guacamole.properties and adding a link to the MySQL
> jdbc driver in {{GUACAMOLE_HOME/lib}}) resolves the issue. However, this is
> not a great solution since MySQL is no longer part of the native OS
> repositories or even the EPEL repositories and its usually best to avoid
> using 3rd party RPM repositories or installing software from source on RHEL
> and Centos systems when possible to make it easier to keep systems up-to-date
> and maintain system stability while minimizing the chances for unexpected
> application and configuration conflicts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
