Guacamole: TOTP Not Authorizing Login

[Ralphshep]

I have installed Guacamole into a jail on my TrueNAS server using the community plugin. I was able to sign in and create connections with no problem. Now I want to secure it further since I plan on opening to the open Internet.

I downloaded https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-totp-1.4.0.tar.gz, unzipped the folder, and copied the jar file to the root of the extensions folder.

The next time I signed into Guacamole it asks me to setup multi-factor authentication. I scan the QR code using Authy on my iPhone and it generates a 6 digit code. However, when I type that code into Guacamole it says “Verification failed. Please try again.”

Currently, I also have an instance of Guacamole running in an Ubuntu server VM also on my TrueNAS. But, I’m hoping that installing it through the jail would have better for performance.

 

[dcs730]

I have installed Guacamole into a jail on my TrueNAS server using the community plugin. I was able to sign in and create connections with no problem. Now I want to secure it further since I plan on opening to the open Internet.

I downloaded https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-totp-1.4.0.tar.gz, unzipped the folder, and copied the jar file to the root of the extensions folder.

The next time I signed into Guacamole it asks me to setup multi-factor authentication. I scan the QR code using Authy on my iPhone and it generates a 6 digit code. However, when I type that code into Guacamole it says “Verification failed. Please try again.”

Currently, I also have an instance of Guacamole running in an Ubuntu server VM also on my TrueNAS. But, I’m hoping that installing it through the jail would have better for performance.

Hi Ralphshep.

I've taken the plunge and installed Guacamole on my Truenas 13.0.3-1 box and can successfully RDP into pc's internally and remotely from the GuacaMole console. I have not yet opened it up to the Outside world via the internet.

My install process has been as follows so far..

In Truenas - The Guacamole install is the default "Plugin" listed as Community Plugin.
I selected the Plug-in "Guacamole", then clicked install with the default NAT option.
Once the JAIL name DCSGuacamole started, I was able to access the web console and add EndPoints.

Like you I'd like to secure it via TOTP. (Once working - would like to open it up to the outside world)

I have been trying to get it to work and so far stuck at copying the .jar into the /etc/guacamole/extensions folder

Within my Truenas box, jails are installed and setup via the iocage/jails/ folder.
My Guacamole JAIL is called - DCSGuacamole

So it lives in /mnt/tankXXXX/iocage/jails/DCSGuacamole/

Then I am on the assumption that the default location that this .jar needs to be copied to is

(All within a SHELL prompt of the DCSGuacamole Jail)
/root/etc/guacamole/extensions

I used a windows PC to download the tar.gz file. Extracted so I found the .jar file, then copied to this location.

root@DCSGuacamole:/etc/guacamole/extensions # ls
guacamole-auth-jdbc-mysql-1.4.0.jar guacamole-auth-totp-1.4.0.jar

There was another .jar file there, I wasn't sure whether there was anything else required?

Are there any other config steps required to get the initial login to prompt for the 2FA setup?

Does the .jar file need to be extracted further?

 

[sretalla]

Have you read the official instructions? seems to be pretty clear on how to do it as far as I can see:

TOTP two-factor authentication — Apache Guacamole Manual v1.5.5

Pay attention to the point about permissions... you don't show the permissions above.

 

[dcs730]

Yes - Seems fairly straight forward.
I've looked at the link with the manual prior to posting and still haven't been able to work it out.

The Guacamole Plug-in install in TrueNAS appears to take care of all the MySQL and setup / config of Guacamole.
It works "straight of of the box install.

The TOTP instructions look fairly straight forward and from a TrueNAS Plugin setup point of view - the only actionable item I interpret from the manual is copying of the .jar file into the /root/etc/guacamole/extensions

The restart the JAIL, but this isn't working.

So I must be I mis-reading or not understanding something.

Has anybody performed a Guacamole install in TrueNAS (Using the Plug-in), then configured TOTP.
Is there is a step by step guide anywhere? Or set of instructions?

 

[sretalla]

OK, challenge accepted...

I installed the plugin.

Connected to the console and logged in, sure enough, no TOTP.

I then got a console in the jail and did:

fetch https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-totp-1.4.0.tar.gz

tar -xvf ./guacamole-auth-totp-1.4.0.tar.gz

cp ./guacamole-auth-totp-1.4.0/guacamole-auth-totp-1.4.0.jar /etc/guacamole/extensions/

Checked that the permissions matched the other extension:

ls -l /etc/guacamole/extensions

Code:

-rw-r--r--  1 root  wheel  6102374 Dec  9 08:14 guacamole-auth-jdbc-mysql-1.4.0.jar
-rw-r--r--  1 root  wheel  5290215 Dec  9 08:19 guacamole-auth-totp-1.4.0.jar

All looks good.

First I then tried a restart of tomcat (not putting the command since it proved to be no good).

On login I got:

No way forward from that...

So I restarted the jail (from the host: iocage restart guac)

and then:

As far as I can see, done deal.


My guess that the permissions on the file you copied into the jail from outside it would likely be the issue.

I suggest from a jail console checking that with:


ls -l /etc/guacamole/extensions

 

[dcs730]

Thx SRETALLA - You were spot on the money. (I haven't checked the permissions as you've mentioned above)... but below was my soln.

Exactly what I thought earlier today, must have been permission related to the .jar file which I extracted on a Windows 10 PC.

So, I spent a good part this afternoon from the guacamole jail shell prompt.

- I used wget to fetch and download the official totp tar.gz file (From the official guacamole.org web site)
- Then extracted the tar.gz file, then copying just the .jar file to the /etc/guacamole/extensions folder.

Once I restarted the Guacamole Jail and attempted to login, it prompted for the 2FA code (Which I then setup and scanned on my iPhone with Google Authenticator app).

So over all works well, then I did a port forward to the http web site of guacamole to access the console.
I can also RDP to other sessions on a remotely connect web browser session.

Works a treat!

Next Q's, can you further secure the Guacamole environment to be accessible via HTTPS?

Or are there further security measure one should take to further tighten this environment?

 

[sretalla]

Next Q's, can you further secure the Guacamole environment to be accessible via HTTPS?

With a reverse proxy... nginX, Caddy, Apache, Traefik... long list.

Or are there further security measure one should take to further tighten this environment?

You could use a forward auth provider together with one of the reverse proxy options and add a further security layer (something like Authelia or Authentik... also many more options) and even add another TOTP (or a different one before hitting guacamole) with that.

Or you could require a client certificate from the reverse proxy, meaning only clients with a certificate you have installed on them would be able to use the page.

 

[Patrick M. Hausen]

Hey ... that's awesome, folks! I will add 2FA to my Guacamole and then enable a wider range of applications like SSH etc. so I can use it as a lightweight VPN ...

Edit: BTW - I found the #1 killer app for my Apple Watch: 2FA.

‎OTP Auth

‎OTP Auth kann mit der Zwei-Faktor Authentifizierung von Dropbox, Facebook, GitHub, Google Mail und vielen anderen genutzt werden. Mach deine Accounts wieder sicher! Features: - Keine Werbung - Verschlüsselter iCloud Sync - Siri Support - Apple Watch Support - Widget für die Mitteilungszentrale...

apps.apple.com

 

[Patrick M. Hausen]

With a reverse proxy... nginX, Caddy, Apache, Traefik... long list.

Apache 2.4 with letsencrypt:

Code:

# https://guacamole.apache.org/doc/gug/proxying-guacamole.html

<VirtualHost *:443>
  ServerName rdp.hausen.com

  ProxyRequests Off
  ProxyPreserveHost On
    
  <Proxy *>
    Require all granted
  </Proxy>

  <Location />
    Require all granted
    ProxyPass http://192.168.2.52:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://192.168.2.52:8080/guacamole/
    ProxyPassReverseCookiePath /guacamole/ /
  </Location>

  <Location /websocket-tunnel>
    Require all granted
    ProxyPass ws://192.168.2.52:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://192.168.2.52:8080/guacamole/websocket-tunnel
  </Location>

  SSLEngine on
  SSLCertificateFile "/usr/local/etc/dehydrated/certs/rdp.hausen.com/cert.pem"
  SSLCertificateChainFile "/usr/local/etc/dehydrated/certs/rdp.hausen.com/chain.pem"
  SSLCertificateKeyFile "/usr/local/etc/dehydrated/certs/rdp.hausen.com/privkey.pem"
</VirtualHost>

 

[Patrick M. Hausen]

10 minutes work and working - thanks again!

 

[Redcoat]

https://guacamole.apache.org/doc/gug/proxying-guacamole.html

That link did not work for me - I found https://guacamole.apache.org/doc/gug/reverse-proxy.html

 

[Redcoat]

Edit: BTW - I found the #1 killer app for my Apple Watch: 2FA.

Darn it - now I DO have a compelling reason to get an Apple watch...

 

[Patrick M. Hausen]

That link did not work for me - I found https://guacamole.apache.org/doc/gug/reverse-proxy.html

It's been a while since I wrote that configuration. I always save the link to the docs I used at the time in my configuration files. So they rearranged the web site ...

 

[Marco Ertel]

Hi,
I am also running into problems with the TOTP extension although I followed the guide

I then got a console in the jail and did:

fetch https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-totp-1.4.0.tar.gz

tar -xvf ./guacamole-auth-totp-1.4.0.tar.gz

cp ./guacamole-auth-totp-1.4.0/guacamole-auth-totp-1.4.0.jar /etc/guacamole/extensions/

Checked that the permissions matched the other extension:

ls -l /etc/guacamole/extensions

Code:

-rw-r--r--  1 root  wheel  6102374 Dec  9 08:14 guacamole-auth-jdbc-mysql-1.4.0.jar
-rw-r--r--  1 root  wheel  5290215 Dec  9 08:19 guacamole-auth-totp-1.4.0.jar

Of course I've used the most recent one (https://dlcdn.apache.org/guacamole/1.5.2/binary/guacamole-auth-totp-1.5.2.tar.gz)
and also my permissions match:

Code:

root@guacamole-plg:~ # ls -l /etc/guacamole/extensions/
total 15250
-rw-r--r--  1 root  wheel  10777863 Jul 12 08:58 guacamole-auth-jdbc-mysql-1.5.0.jar
-rw-r--r--  1 root  wheel   4819527 Jul 12 10:14 guacamole-auth-totp-1.5.2.jar

Of course I restarted the jail (now several times) and logged in with different users but no possibility for the 2FA.
Where can I search for logs or what else can I check?

Thanks and Kind Regards
Marco

 

[sretalla]

OK, well the first thing I see is that the instructions now point to GUACAMOLE_HOME/extensions as the location for the extension now... seems to be /usr/local/etc/guacamole-client/extensions in the test plugin I just installed.

Then, after getting the same result as you... it doesn't work even in that location...

I checked the version of guacd (in the jail, guacd -v), which shows that the version isn't the latest, rather 1.5.0, so the jar file you're working with is too new.

So I downloaded the 1.5.0 version instead (https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-auth-totp-1.5.0.tar.gz), put it in the new location as mentioned above and restarted the jail... works just as before.

 

[Marco Ertel]

Hi,

I checked the version of guacd (in the jail, guacd -v), which shows that the version isn't the latest, rather 1.5.0, so the jar file you're working with is too new.

So I downloaded the 1.5.0 version instead (https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-auth-totp-1.5.0.tar.gz), put it in the new location as mentioned above and restarted the jail... works just as before.

arghh- too new...
I've now tried it with the 1.5.0 and you're right- that works!

Many thanks!

 

[sretalla]

Actually you can even see that in your own post:

-rw-r--r-- 1 root wheel 10777863 Jul 12 08:58 guacamole-auth-jdbc-mysql-1.5.0.jar

The other extension already there is version 1.5.0, so that seems to be a key to use in future. (if you couldn't be bothered with guacd -v)

 

[medi_kk]

hi everyone
- I used wget to fetch and download the official totp tar.gz file (From the official guacamole.org web site)
- Then extracted the tar.gz file, then copying just the .jar file to the /etc/guacamole/extensions folder.

then setup and scanned on my iPhone with Google Authenticator app and On the QR code page, after enter 8 digits, I get "Verification failed. Please try again" how can i fix this problem?

root@apachegua:~# ls -l /etc/guacamole/extensions/
итого 78152
-rw-r--r-- 1 root root 10998186 дек 28 12:06 guacamole-auth-jdbc-mysql-1.5.3.jar
-rw-r--r-- 1 guacam guacam 13096260 июл 26 12:01 guacamole-auth-ldap-1.5.3.jar
-rw-r--r-- 1 guacam guacam 4910381 июл 26 12:02 guacamole-auth-totp-1.5.3.jar
root@apachegua:~#

 

[Patrick M. Hausen]

Are time and date inside the jail correct?

 

[Constantin]

Are time and date inside the jail correct?

That's a big one. If the time is off even by 30 seconds, TOTP will never work. It's one reason that I installed a pair of NTP servers here, since Comcast has in the past blocked access to port 123 (used by NTP) on a seemingly-random, and definitely un-announced, basis. I highly recommend the NTP200 or NTP250 series from centerclick for this application - a very stable, easy-to-use NTP server.

Yes, you can go build a RPi with a Uputronics hat to do the same thing. Maybe even achieve a stable platform and/or integrate it with other stuff (kubernetes, HA, NUTS, etc), but it will never be as easy to use as the NTP2x0 series. Price-wise the NTP200/250 are also affordable compared to RPi solutions or even stuff from eBay. Plus, the NTP250 can be powered off POE or USB, allowing it to be installed in optimal locations with nothing more than a ethernet cable. Both of my GPS NTPs are installed indoors, under a finished roof and work beautifully, only using about 60% of the satellites they can get a good fix from.