[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292242#comment-17292242
]
Nick Couchman commented on GUACAMOLE-1212:
------------------------------------------
Ah, okay, so there are two issues with OTP authentication, here:
1) During initial authentication, credentials can be provided one of two ways -
either individual, where the user enters username and password, and then is
prompted for the one-time password, which Guacamole currently does not handle
correctly because it lacks the ability within the LDAP module to handle a
request for additional credentials.
2) During the entire life of the user's Guacamole session, LDAP credentials
cannot be re-used transparently to disconnect and reconnect.
So, for item #1, we need to know how the LDAP server(s) respond when asking for
additional credentials so that we can handle those requests and, instead of
just failing authentication, can prompt the user for something.
Item #2 seems a little more problematic. To accomplish this, we either need to
a) make LDAP connections persist for the life of the Guacamole session to avoid
disconnecting and reconnecting, or b) be able to re-prompt the user for their
credentials throughout the life of the actual Guacamole session. Both of these
are problematic.
Making the LDAP connection persist throughout the life of the Guacamole session
is theoretically possible, but there are two scale items that give me pause.
The first is session length - I'm not sure what the limits are on session
persistence with an LDAP server like FreeIPA. In my use of Guacamole in my day
job, I routinely have remote sessions running for 8+ hours. I'm not sure LDAP
sessions will actually be allowed to persist for that length of time? Also, I'd
be concerned about how that would scale in terms of number of users - for one
or two, or maybe 10-20 users, persistent LDAP connections might be fine and not
terribly taxing on the server. But if you have 100 or 200 or 500 users running
Guacamole concurrently that's a lot of ongoing, persistent sessions just for
LDAP - in addition to the actual remote connections.
Re-prompting the user for credentials would, I'm convinced, lead to a terrible
user experience. Guacamole does several LDAP connections in the background when
a user logs in and throughout the session that would generate multiple prompts
to a user, not just for username and password, but also for OTP: the initial
login, searching for group memberships, and searching for connections. That's
three just from the initial connection phase. Those could probably be bundled
into a persistent connection (if they aren't already - they may already be that
way). Then, assuming you're storing connections in LDAP, every time they access
a connection that connection detail would be accessed and pulled. Some of the
data may be cached, so this might not happen absolutely every single time, but
it would be an obnoxious experience for me, and I'm probably more tolerant of
these idiosyncrasies than the average user.
So, some things to discuss and figure out the best way to work through - I'm
not sure it's as easy as just either persistent LDAP connections or
re-prompting for LDAP credentials every time they're required.
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
