[
https://issues.apache.org/jira/browse/GUACAMOLE-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17271284#comment-17271284
]
miguel angel commented on GUACAMOLE-1187:
-----------------------------------------
hi i have some issure, have mariadb and guacamole 1.2.0 and when update to
1.3.0 totp not work when i write code 6 digits.
but after search i found the error and solution.
in my code */etc/guacamole/guacamole.properties* i wrote:
totp-digits: 6
totp-period: 60
totp-mode: sha1
and use a winotp authentificator
[https://www.microsoft.com/en-us/p/winotp-authenticator/9nf2rgqkx1mv?activetab=pivot:overviewtab]
and works fine.
but when i update all to 1.3.0 the code not work, i see if i use same code get
in mysql table guacamole_user_attribute and put in this web
[https://totp.danhersam.com/]
the code if diferent of winotp authentificator because winotp authentificator
only work in 30 seg not in 60, but guacamole 1.2.0 dont get the 60 seg to
validate they get 30 maybe and error.
The solution in my case is put in */etc/guacamole/guacamole.properties*
totp-digits: 6
totp-period: *30*
totp-mode: sha1
and the winotp authentificator work again and [https://totp.danhersam.com/]
have same key if put 30 seconds.
thaks all.
> TOTP not working with MariaDB
> -----------------------------
>
> Key: GUACAMOLE-1187
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1187
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-totp
> Affects Versions: 1.2.0
> Environment: Centos 8.2,
> MariaDB Server 10.3.17.1.module_el8.1.0+257+48736ea6,
> MariaDB Java Client 2.2.5.2.el8 (provides MariaDB JDBC jar file),
> Tomcat 9.0.37,
> Guacamole 1.2.0 (server, client, database authentication extension and TOTP
> authentication extension)
> Reporter: J.T. Moore
> Priority: Minor
> Attachments: UserVerificationService.java
>
>
> Problem:
> When the TOTP module is installed and MariaDB is used for database
> authentication, no users can complete TOTP enrollment. When a user attempts
> to login the first time after TOTP is enabled, the enrollment QR code is
> displayed as expected and I can see where records for the
> *guac-totp-key-secret=[_new_key_value_]* and *guac-totp-key-confirmed=false*
> attributes are correctly inserted to the guacamole_user_attribute table for
> the user. However, when the user scans the QR code with their authenticator
> app and then provides the correct authentication code, the “verification
> failed” message is always displayed and the user cannot login.
>
> Background:
> MariaDB has replaced MySQL in the official RHEL 8 and Centos 8 repositories.
> Database authentication for Guacamole works as expected when the TOTP module
> is not used and Guacamole is configured to use MariaDB per the instructions
> at [https://guacamole.apache.org/doc/gug/jdbc-auth.html] (i.e. using
> *mysql-driver: mariadb* in guacamole.properties and a link to the MariaDB
> jdbc driver {{in GUACAMOLE_HOME/lib}}). However, the problem described above
> occurs when the TOTP module is then moved into the
> {{GUACAMOLE_HOME}}/extensions folder and Tomcat is restarted.
>
> Initial Analysis:
> I added some debug logging to
> guacamole-client-1.2.0/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
> to gather some more information (see attached UserVerificationService.java
> containing the logging modifications). From that, I found that when the
> getKey() method is called during the authentication step, the *if (secret ==
> null)* condition is always matched. So, a new secret is then generated during
> each attempt verify the authentication code and the existing records in
> guacamole_user_attribute for guac-totp-key-secret and guac-totp-key-confirmed
> for the user are replaced . However, since the user and server are using
> different keys at that point, the generated authentication codes don’t match.
> So, there appears to be a problem retrieving the guac-totp-key-secret
> attribute for the user from the database even though the records can be
> inserted and deleted correctly.
>
> Workaround:
> Replacing MariaDB with MySQL community 8.0.21 (along with setting
> *mysql-driver: mysql* in guacamole.properties and adding a link to the MySQL
> jdbc driver in {{GUACAMOLE_HOME/lib}}) resolves the issue. However, this is
> not a great solution since MySQL is no longer part of the native OS
> repositories or even the EPEL repositories and its usually best to avoid
> using 3rd party RPM repositories or installing software from source on RHEL
> and Centos systems when possible to make it easier to keep systems up-to-date
> and maintain system stability while minimizing the chances for unexpected
> application and configuration conflicts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
