On Thu, Mar 22, 2018 at 5:03 AM, Magnus Lobenhofer < [email protected]> wrote:
> Hello everybody, > > I am thrilled that the guacamole project exists and was able to > successfully install Raspbian guacamole with tomcat8 on my Raspberry Pi. > Login and remote control work perfectly. > > Now I want to use the extension for two-factor authentication (see chapter > 8 of the documentation = https://guacamole.apache.org/ > doc/gug/duo-auth.html ). As far as I can tell, I have strictly followed > the instructions. Even so, the tomcat server seems to take no notice of the > JAR file guacamole-auth-duo-0.9.14.jar. After the basic login, you will not > get the two-factor mask as expected. > Can you confirm what the base version of Guacamole you're running is? It looks like you're using 0.9.14 for the Duo module, but is that what you're using for Guacamole itself (the WAR file you deployed)? > Note: originally the owner of the directory was / etc / guacamole root, in > my troubleshooting I set the owner on tomcat8 because I suspected access > problems. > Without effect - neither negative nor positive. > > Permissions look okay based on what you posted below. > catalina.out also does not report any reference to the named JAR file. > > Can you post the output of your catalina.out file, if not directly on here, then on a PasteBin and link to it? If no output at all is showing up in catalina.out, then check for Tomcat messages in /var/log/messages or journalctl, or wherever syslog is pointed on your RPi. I suspect that Tomcat is logging *something* of use. > > Here comes the file structure with permissions, and afterwards the content > of guacamole.properties: > > root@raspberrypi:/etc/guacamole# ls -l > -rw-r--r-- 1 tomcat8 root 381 Nov 29 2016 apache.conf > drwxr-xr-x 2 tomcat8 root 4096 M?r 21 12:22 extensions > -rw-r--r-- 1 tomcat8 root 2743 M?r 21 13:20 guacamole.properties > drwxr-xr-x 2 tomcat8 root 4096 M?r 21 14:38 lib > -rw-r--r-- 1 tomcat8 root 115 Nov 26 2016 tomcat.xml > -rw-r----- 1 tomcat8 root 1660 M?r 21 11:41 user-mapping.xml > > root@raspberrypi:/etc/guacamole/extensions# ls -l > insgesamt 768 > -rw-rw-r-- 1 tomcat8 root 784055 Jan 9 04:19 guacamole-auth-duo-0.9.14.jar > > root@raspberrypi:/usr/share/tomcat8# ls -la > drwxr-xr-x 10 root root 4096 M?r 20 17:17 . > drwxr-xr-x 209 root root 4096 M?r 20 21:31 .. > drwxr-xr-x 2 root root 4096 M?r 20 13:52 bin > drwxr-xr-x 3 root root 4096 M?r 20 16:52 commmon > drwxr-xr-x 3 root root 4096 M?r 20 16:53 common > drwxr-xr-x 2 root root 4096 M?r 20 16:56 conf > -rw-r--r-- 1 root root 39 Sep 3 2017 defaults.md5sum > -rw-r--r-- 1 root root 1911 Sep 3 2017 defaults.template > lrwxrwxrwx 1 root root 15 M?r 20 17:17 .guacamole -> /etc/guacamole/ > drwxr-xr-x 2 root root 4096 M?r 20 13:52 lib > -rw-r--r-- 1 root root 53 Sep 3 2017 logrotate.md5sum > -rw-r--r-- 1 root root 134 Sep 3 2017 logrotate.template > drwxr-xr-x 3 root root 4096 M?r 20 16:53 server > drwxr-xr-x 3 root root 4096 M?r 20 16:51 shared > drwxr-xr-x 2 root root 4096 M?r 20 16:51 temp > The symlink of .guacamole to /etc/guacamole should not be necessary if you're running 0.9.14. A change was introduced in 0.9.14 that looks for .guacamole in the home directory, first (e.g. tomcat user home directory) and then moves on to /etc/guacamole all by itself. > > Content of guacamole.properties: > > guacd-hostname: localhost > guacd-port: 4822 > > auth-provider: net.sourceforge.guacamole.net.basic. > BasicFileAuthenticationProvider > basic-user-mapping: /etc/guacamole/user-mapping.xml > > duo-api-hostname: api-(from duo com).duosecurity.com > duo-integration-key: (key from duo.com) > duo-secret-key: (key from due.com) > duo-application-key: (key with 40 Characters) > > > A couple of things I notice here: - The auth-provider property has absolutely no effect - it was deprecated a long time ago and doesn't do anything. - You're using the basic file authentication module, and I'm not sure that that stacks at all with other authentication modules. I could be wrong about this, as I rarely ever use the basic file authentication module and so I tend to forget how it behaves, but that might be one of your issues and you might have to switch to something like the JDBC module to use it with Duo. Again, I'm not certain about that... -Nick
