Details
-
Bug
-
Status: Resolved
-
Trivial
-
Resolution: Fixed
-
None
-
None
Description
The length of the Duo secret key is documented within the Guacamole manual as exactly 20 characters. This is incorrect. The integration key is exactly 20 characters, but the secret key is 40 characters.
This can be seen in the definition and usage of the constants in Duo's DuoWeb class:
public final class DuoWeb { ... private static final int IKEY_LEN = 20; private static final int SKEY_LEN = 40; private static final int AKEY_LEN = 40; ... public static String signRequest(final String ikey, final String skey, final String akey, final String username, final long time) { ... if (ikey.equals("") || ikey.length() != IKEY_LEN) { return ERR_IKEY; } if (skey.equals("") || skey.length() != SKEY_LEN) { return ERR_SKEY; } if (akey.equals("") || akey.length() < AKEY_LEN) { return ERR_AKEY; } ...
Note that the lengths of the various keys are not actually enforced by the guacamole-auth-duo extension, so while the manual is incorrect, the extension should still function as long as correct key values are provided.