Affects Version/s: 1.3.0
Fix Version/s: None
Environment:Ubuntu 20.04 server
Linux guacamole 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
We are at the stage of deploying FreeIPA 2FA for all our users and services. Guacamole is in docker containers. During initial testing it turns out users with OTP enabled are unable to log in to the front-end, however running "docker shows logs guacamole" is showing:
14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService - User "c111111" successfully authenticated from 10.0.0.6.
When I in purpose type wrong password it's correctly showing failed, also when OTP for the same user is disabled, a user is able to log in.
14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.6 for user "c111111" failed.
I wonder if it has anything to do with the latest changes to FreeIPA sssd implementation where they allow multiple authentication options and for 2FA they try to introduce two prompts for password and 2nd for OTP token.
There is a workaround to enable password and otp authentications in FreeIPA and surprisingly then I can log in using password only and then on hosts I can restrict ssh and rdp to password+otp only, however by doing it we also weaken our VPN security as then you can log in to VPN with password only as FreeIPA is our central LDAP store.
Also as a test, I've downloaded Apache Directory Studio and authentication there is working fine, so maybe Guacamole after auth is doing some extra checks and that's where is failing and it would also explain why logs are showing successfully authenticated, don't know as I'm no Java expert.
Just to be precise we use LDAP without extra changes in LDAP schema.
My docker-setup is as follow:
command: sh -c "keytool -storepass changeit -importcert -noprompt -alias labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore /usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"