Re: Unable to get Duo 2FA to work with Guacamole

2018-02-15 Thread amlamarra 
Well, I do have the GUACAMOLE_HOME variable set in /etc/environment. There's
a single line in that file: "GUACAMOLE_HOME=/etc/guacamole" that ensures
that environment variable is set at boot and I can verify with the "env"
command. And I can assure you that both the mysql & Duo extension .jar files
are in the same directory "/etc/guacamole/extensions"...

ND I'm an idiot...

I forgot to extract the downloaded extension file for Duo, leaving it as a
.tar.gz
Once I extracted the .jar file, restarted Jetty, everything worked!

Thank you, Mike, for getting me to do some simple troubleshooting that I
should have done myself  :D



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Unable to get Duo 2FA to work with Guacamole

2018-02-14 Thread Mike Jumper 
On Wed, Feb 14, 2018 at 5:53 AM, amlamarra  wrote:
>
> When I was getting this setup, for some reason, 0.9.14 didn't work. I think
> the page wouldn't load, but I can't remember exactly. Anyway, I tried 0.9.13
> and it worked fine. Maybe some incompatibility with Jetty8?
>

It's unlikely that anything in 0.9.14 broke compatibility with Jetty
8. It would be good to see the logs for that failure, though. Without
those logs, everything is speculation.

> > What about guacamole-auth-duo-0.9.13-incubating.jar?
>
> Good question. Not sure why I don't have that file in there... Anyway, I
> just put it there, restarted Jetty, and no change :(
>

Prior to 0.9.14, /etc/guacamole was not a default location for
GUACAMOLE_HOME, and would not be used unless explicitly overridden
somehow. Are you sure that both extensions are indeed in the correct
location, and that you haven't somehow ended up with two
GUACAMOLE_HOME directories - one from your previous install which
contains only the MySQL extension, and another at /etc/guacamole which
is being ignored?

>
> > I'm not sure what file Jetty would log things to, but there should be a
> > file containing substantial logging messages from Guacamole during
> > startup, including each extension as they are loaded. Assuming you can
> > find the file containing these messages, can you provide those logs?
>
> The logs are mostly in this file: /var/log/jetty8/stderrout.log
> The default was /var/log/jetty8/_mm_dd.stderrout.log, but I managed to
> strip off the date stamp to make it easier to use with fail2ban.
>
> These are the logs that are generated when I do a "systemctl restart
> jetty8":
>
>...
> 08:44:21.637 [main] INFO  o.a.g.extension.ExtensionModule - Extension "MySQL 
> Authentication" loaded.
> 08:44:24.382 [main] INFO  o.a.g.t.w.j.WebSocketTunnelModule - Loading Jetty 8 
> WebSocket support...
> ...

For all .jar files within the GUACAMOLE_HOME/extensions/ directory,
Guacamole will log something, either that the extension was
successfully loaded (as you see here for the MySQL extension) or that
the extension could not be loaded. If you're not seeing anything
whatsoever for the Duo extension, then it must not be in the location
being searched by Guacamole.

- Mike

Re: Unable to get Duo 2FA to work with Guacamole

2018-02-14 Thread amlamarra 
When I was getting this setup, for some reason, 0.9.14 didn't work. I think
the page wouldn't load, but I can't remember exactly. Anyway, I tried 0.9.13
and it worked fine. Maybe some incompatibility with Jetty8?


> What about guacamole-auth-duo-0.9.13-incubating.jar?

Good question. Not sure why I don't have that file in there... Anyway, I
just put it there, restarted Jetty, and no change :(


> I'm not sure what file Jetty would log things to, but there should be a
> file containing substantial logging messages from Guacamole during
> startup, including each extension as they are loaded. Assuming you can
> find the file containing these messages, can you provide those logs?

The logs are mostly in this file: /var/log/jetty8/stderrout.log
The default was /var/log/jetty8/_mm_dd.stderrout.log, but I managed to
strip off the date stamp to make it easier to use with fail2ban.

These are the logs that are generated when I do a "systemctl restart
jetty8":


As you can see from the middle there, the MySQL extension loads. Nothing
about Duo, however. Here are the logs generated when I load the page & log
in:




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Unable to get Duo 2FA to work with Guacamole

2018-02-14 Thread Mike Jumper 
On Tue, Feb 13, 2018 at 6:35 AM, amlamarra  wrote:

> ...
> - Searching my logs for anything duo related reveals nothing (grep -i duo
> /var/log/jetty8/*)
>

I'm not sure what file Jetty would log things to, but there should be a
file containing substantial logging messages from Guacamole during startup,
including each extension as they are loaded. Assuming you can find the file
containing these messages, can you provide those logs? Even if you cannot
find the word "duo" anywhere in the logs, that will at least reveal whether
you're looking in the right place, and might reveal why the Duo support is
not being loaded.


> - I have the "guacamole-auth-jdbc-mysql-0.9.13-incubating.jar" file in
> /etc/guacamole/extensions/
>

What about guacamole-auth-duo-0.9.13-incubating.jar?

Any reason you're not using the latest release (0.9.14)? 0.9.13-incubating
should still work, but using the latest release is usually a good idea.
Once you've ironed out what's going on here, I recommend upgrading when you
can.

- Mike

Unable to get Duo 2FA to work with Guacamole

2018-02-13 Thread amlamarra 
Hello, all.
I've setup Guacamole with database authentication & got it working. Then I
followed the instructions from  Chapter 8 of the Guacamole manual
  . However, nothing has
changed. I still log into my account just fine without any sort of 2FA
prompt. Is it a problem that I'm trying to do this with the admin account in
Guacamole?

Some info:
- I'm using Guacamole 0.9.13
- Running on a Raspberry Pi 3b
- Using Jetty8 as my servlet
- MariaDB for my database
- Signed up for a free account in Duo
- Added a user that matched my username in Guacamole & registered a
device
- Searching my logs for anything duo related reveals nothing (grep -i duo
/var/log/jetty8/*)
- I have the "guacamole-auth-jdbc-mysql-0.9.13-incubating.jar" file in
/etc/guacamole/extensions/
- my guacamole.properties file looks like this (with some values change of
course):
guacd-hostname: localhost
guacd-port: 4822
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: 
mysql-password: xx
duo-api-hostname: .duosecurity.com
duo-integration-key: xxx
duo-secret-key: 
duo-application-key: xx
- I'm using Apache as a web server with LetsEncrypt certs on the same device
that hosts another site. It's acting as a reverse proxy. The relevant
configuration under the  section:

Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/
ProxyPassReverse http://127.0.0.1:8080/guacamole/


Any help would be greatly appreciated!



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/