Hi all,
I compiled the latest and greatest server and client yesterday from master to
try out google auth topt extension.
I got everything working great (first time I built it from source) to a point
where I login using password, get a QR code for new account get “Apache
Guacamole (topttest (or guacadmin)) entry to the Google Authenticator (android)
application with changing code, but when I enter it, it just keeps on saying
"Verification failed. Please try again.”
Both topttest (normal account with only change password permission) and
guacadmin has the same behavior.
If I take topt extension out, the users (topttest, guacadmin) can access ok
using just the password.
I’m using mySQL, schema etc built using the scripts I got from master.
After failed login attempts (tried both topttest and guacadmin) mySQL shows
mysql> SELECT * FROM guacamole_user_attribute;
+---------+-------------------------+----------------------------------+
| user_id | attribute_name | attribute_value |
+---------+-------------------------+----------------------------------+
| 1 | guac-totp-key-confirmed | false |
| 1 | guac-totp-key-secret | XXVBQ3HTHLJMXRNPMD57ZIZG2ZIN2U43 |
| 5 | guac-totp-key-confirmed | false |
| 5 | guac-totp-key-secret | YAKJNQMMZKY2MVIVCGSV6TMXLOUD2VIR |
+---------+-------------------------+----------------------------------+
4 rows in set (0.00 sec)
mysql> SELECT * FROM guacamole_user;
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
| user_id | username | password_hash | password_salt
| password_date | disabled | expired | access_window_start |
access_window_end | valid_from | valid_until | timezone | full_name |
email_address | organization | organizational_role |
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
| 1 | guacadmin | ?E?}IN;?$???u?Ul??,-}?c;?J)?A` |
?$???+%(???zy?B??`d?iųw??"d | 2018-04-15 07:21:55 | 0 | 0 | NULL
| NULL | NULL | NULL | NULL | NULL
| NULL | NULL | NULL |
??W~v??YD??'?GG;F??n-? | 2018-04-15 10:36:21 | 0 | 0 | NULL
| NULL | NULL | NULL | NULL | NULL
| NULL | NULL | NULL |
| 5 | topttest | ??e
??wG?x?v? ?F??mT=A??w?" | ?BۘF;?f??xk???i???P?m\f? | 2018-04-15 10:54:14 |
0 | 0 | NULL | NULL | NULL | NULL
| NULL | NULL | NULL | NULL | NULL |
+---------+-----------+----------------------------------+----------------------------------+---------------------+----------+---------+---------------------+-------------------+------------+-------------+----------+-----------+---------------+--------------+---------------------+
3 rows in set (0.00 sec)
mysql> SELECT * FROM guacamole_user_permission;
+---------+------------------+------------+
| user_id | affected_user_id | permission |
+---------+------------------+------------+
| 1 | 1 | READ |
| 1 | 1 | UPDATE |
| 1 | 1 | ADMINISTER |
| 1 | 4 | READ |
| 1 | 4 | UPDATE |
| 1 | 4 | DELETE |
| 1 | 4 | ADMINISTER |
| 4 | 4 | READ |
| 4 | 4 | UPDATE |
| 1 | 5 | READ |
| 1 | 5 | UPDATE |
| 1 | 5 | DELETE |
| 1 | 5 | ADMINISTER |
| 5 | 5 | READ |
| 5 | 5 | UPDATE |
+---------+------------------+------------+
15 rows in set (0.01 sec)
Tomcat logs show only:
Sun Apr 15 11:02:17 EEST 2018 WARN: Establishing SSL connection without
server's identity verification is not recommended. According to MySQL 5.5.45+,
5.6.26+ and 5.7.6+ requirements SSL connection must be established by default
if explicit option isn't set. For compliance with existing applications not
using SSL the verifyServerCertificate property is set to 'false'. You need
either to explicitly disable SSL by setting useSSL=false, or set useSSL=true
and provide truststore for server certificate verification.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/ HTTP/1.1" 304 -
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET
/guacamole/app.css?v=0.9.14 HTTP/1.1" 200 49878
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/app.js?v=0.9.14
HTTP/1.1" 200 304771
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET
/guacamole/images/logo-144.png HTTP/1.1" 200 9167
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/languages
HTTP/1.1" 200 151
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET /guacamole/api/patches
HTTP/1.1" 200 352
192.168.100.11 - - [15/Apr/2018:11:02:17 +0300] "GET
/guacamole/translations/en.json HTTP/1.1" 200 37198
192.168.100.11 - - [15/Apr/2018:11:02:18 +0300] "POST /guacamole/api/tokens
HTTP/1.1" 403 237
==> catalina.out <==
11:02:30.987 [http-bio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService -
User "topttest" successfully authenticated from 192.168.100.11.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:02:31 +0300] "POST /guacamole/api/tokens
HTTP/1.1" 403 1433
==> catalina.out <==
11:03:00.822 [http-bio-8080-exec-9] INFO o.a.g.r.auth.AuthenticationService -
User "topttest" successfully authenticated from 192.168.100.11.
==> localhost_access_log.2018-04-15.txt <==
192.168.100.11 - - [15/Apr/2018:11:03:00 +0300] "POST /guacamole/api/tokens
HTTP/1.1" 400 188
Permissions of the extension are the same as with jdbc, and the other stuff
built using the 0.9.14 manual.
I have not added any topt specific things to guacamole.properties.
What could be the issue, what to check? Have I missed a step somewhere?
Thanks for your help.
— kalle
