[GUACAMOLE-1187] TOTP not working with MariaDB - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Cannot Reproduce
Affects Version/s: 1.2.0
Fix Version/s: None
Component/s: guacamole-auth-totp
Labels:
None
Environment:

Hide
Centos 8.2,
MariaDB Server 10.3.17.1.module_el8.1.0+257+48736ea6,
MariaDB Java Client 2.2.5.2.el8 (provides MariaDB JDBC jar file),
Tomcat 9.0.37,
Guacamole 1.2.0 (server, client, database authentication extension and TOTP authentication extension)

Show
Centos 8.2, MariaDB Server 10.3.17.1.module_el8.1.0+257+48736ea6, MariaDB Java Client 2.2.5.2.el8 (provides MariaDB JDBC jar file), Tomcat 9.0.37, Guacamole 1.2.0 (server, client, database authentication extension and TOTP authentication extension)

Description

Problem:

When the TOTP module is installed and MariaDB is used for database authentication, no users can complete TOTP enrollment. When a user attempts to login the first time after TOTP is enabled, the enrollment QR code is displayed as expected and I can see where records for the guac-totp-key-secret=[_new_key_value_] and guac-totp-key-confirmed=false attributes are correctly inserted to the guacamole_user_attribute table for the user. However, when the user scans the QR code with their authenticator app and then provides the correct authentication code, the “verification failed” message is always displayed and the user cannot login.

Background:

MariaDB has replaced MySQL in the official RHEL 8 and Centos 8 repositories.

Database authentication for Guacamole works as expected when the TOTP module is not used and Guacamole is configured to use MariaDB per the instructions at https://guacamole.apache.org/doc/gug/jdbc-auth.html (i.e. using mysql-driver: mariadb in guacamole.properties and a link to the MariaDB jdbc driver in GUACAMOLE_HOME/lib). However, the problem described above occurs when the TOTP module is then moved into the GUACAMOLE_HOME/extensions folder and Tomcat is restarted.

Initial Analysis:

I added some debug logging to guacamole-client-1.2.0/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java to gather some more information (see attached UserVerificationService.java containing the logging modifications). From that, I found that when the getKey() method is called during the authentication step, the if (secret == null) condition is always matched. So, a new secret is then generated during each attempt verify the authentication code and the existing records in guacamole_user_attribute for guac-totp-key-secret and guac-totp-key-confirmed for the user are replaced . However, since the user and server are using different keys at that point, the generated authentication codes don’t match. So, there appears to be a problem retrieving the guac-totp-key-secret attribute for the user from the database even though the records can be inserted and deleted correctly.

Workaround:

Replacing MariaDB with MySQL community 8.0.21 (along with setting mysql-driver: mysql in guacamole.properties and adding a link to the MySQL jdbc driver in GUACAMOLE_HOME/lib) resolves the issue. However, this is not a great solution since MySQL is no longer part of the native OS repositories or even the EPEL repositories and its usually best to avoid using 3rd party RPM repositories or installing software from source on RHEL and Centos systems when possible to make it easier to keep systems up-to-date and maintain system stability while minimizing the chances for unexpected application and configuration conflicts.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

UserVerificationService.java
29/Sep/20 03:23
13 kB
J.T. Moore

Activity

People

Assignee:: Unassigned

Reporter:: J.T. Moore

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 29/Sep/20 03:30

Updated:: 23/May/21 06:20

Resolved:: 23/May/21 06:20