[
https://issues.apache.org/jira/browse/GUACAMOLE-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325368#comment-17325368
]
Mike Jumper commented on GUACAMOLE-1329:
----------------------------------------
I agree it's not a bug, but it could lead to confusion and can probably be
improved.
The log message as it stands is (technically) correct. The user is in fact
authenticating three times, and each of those times succeeds. However, after
succeeding, those authentication successes are vetoed by the next extension in
the chain enforcing MFA.
The overall chain of events leading to this is:
# User successfully authenticates with username/password. This is log message
#1.
# Duo extension vetoes the successful auth and requests additional credentials.
# User successfully authenticates with username/password (automatically
resubmitted) _and_ the Duo token. This is log message #2.
# TOTP extension vetoes the successful auth and requests additional credentials.
# User successfully authenticates with username/password/Duo (automatically
resubmitted) _and_ their TOTP code. This is log message #3.
I think this could be addressed by:
* Clarifying the existing message to note that these are _tentatively_
successful authentication attempts (as well as the specific extension that
accepted them).
* Adding messages to note when another extension rejects an otherwise
tentatively successful attempt (as well as the specific extension that rejected
it).
* Adding a message to explicitly note when a user has absolutely fully
authenticated (and no other extension has decided to reject the tentative
success).
> Message for successful login appears three times, no message for failed TOTP
> ----------------------------------------------------------------------------
>
> Key: GUACAMOLE-1329
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1329
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Affects Versions: 1.2.0
> Environment: Package: tomcat8
> Versions: 8.5.39-1ubuntu1~18.04.3
> Reporter: Florian Obradovic
> Priority: Minor
> Labels: catalina
> Attachments: image-2021-04-19-19-24-57-999.png
>
>
> Dear Team
> Today I created a dashboard in Graylog to monitor failed and successful
> Guacamole logins and noticed this behaviour with logging and user sign in
> events.
> h2. A user with TOTP enabled
> * a user signs in one single time
> * there appear three lines in catalina.out log file
> * two lines appear after entering username & password
> * you enter TOTP challenge
> * third line appears
>
> {code:java}
> After Login:
> 19:13:08.869 [http-nio-8080-exec-8] INFO o.a.g.r.auth.AuthenticationService -
> User "guac-admin" successfully authenticated from [111.222.333.4, 127.0.0.1].
> 19:13:09.424 [http-nio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService -
> User "guac-admin" successfully authenticated from [111.222.333.4, 127.0.0.1].
> After entering TOTP challenge:
> 19:13:11.490 [http-nio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService -
> User "guac-admin" successfully authenticated from [111.222.333.4, 127.0.0.1]
> {code}
>
>
>
> h1. A user with TOTP fails to enter TOTP codes
> * a user signs in one single time
> * first *two* after entering username & password
> * {color:#ff0000}*after failing to enter the TOTP codes / entering wrong
> challenges there appear a new line:*
> _INFO o.a.g.r.auth.AuthenticationService - User "guac-admin" successfully
> authenticated from [111.222.333.4, 127.0.0.1]_{color}**
> h1. A user with DUO enabled
> * a user signs in one single time
> * first line after entering username & password
> * second line after DUO challenge response successfully
> * third line appears after you enter TOTP challenge
> ----
>
> !image-2021-04-19-19-24-57-999.png|width=446,height=475!
>
> Best regards, Flo.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
