Test System: I am using the Guacamole Docker container for 1.6.0 RC on Docker Hub. Brand new Postgres database. Also using the guacamole-auth-jdbc-postgresql-1.6.0.jar plugin with both schema's applied, specifically 001-create-schema.sql and 002-create-admin-user.sql. Using TOTP from this link: https://dist.apache.org/repos/dist/dev/guacamole/1.6.0-RC1/binary/guacamole-auth-totp-1.6.0.tar.gz
Reproducible: I had tried to login with guacadmin/guacadmin and it asks to enroll in TOTP with QR code. I scanned the QR code with Google Authenticator. I logged out and logged back in. This time giving the resulting 6 digit code I got back from Google Authenticator. It says "Verification failed. Please try again." After giving the correct code. Expected Behavior: Log the user in. It seems to work fine with version 1.5.5 docker hub release. The logs in podman indicate the following: $ podman logs guacamole '/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-jdbc-postgresql-1.6.0.jar' -> '/etc/guacamole/extensions/guacamole-auth-jdbc-postgresql-1.6.0.jar' '/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-totp.jar' -> '/etc/guacamole/extensions/guacamole-auth-totp.jar' '/tmp/guacamole-home.XZkfSvMiY5/branding.jar' -> '/etc/guacamole/branding.jar' '/tmp/guacamole-home.XZkfSvMiY5/guacamole-auth-jdbc-1.6.0' -> '/etc/guacamole/guacamole-auth-jdbc-1.6.0' '/tmp/guacamole-home.XZkfSvMiY5/guacamole-auth-jdbc-1.6.0.tar.gz' -> '/etc/guacamole/guacamole-auth-jdbc-1.6.0.tar.gz' NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/ java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 07-May-2025 15:49:45.311 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.104 07-May-2025 15:49:45.317 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Apr 4 2025 12:32:55 UTC 07-May-2025 15:49:45.317 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.104.0 07-May-2025 15:49:45.317 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.18.0-553.50.1.el8_10.x86_64 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /opt/java/openjdk 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 21.0.7+6-LTS 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Eclipse Adoptium 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /tmp/catalina-base.za409KAO0O 07-May-2025 15:49:45.318 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/tomcat 07-May-2025 15:49:45.338 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 07-May-2025 15:49:45.338 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang.invoke=ALL-UNNAMED 07-May-2025 15:49:45.338 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang.reflect=ALL-UNNAMED 07-May-2025 15:49:45.338 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 07-May-2025 15:49:45.338 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 07-May-2025 15:49:45.339 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 07-May-2025 15:49:45.339 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 07-May-2025 15:49:45.346 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/tmp/catalina-base.za409KAO0O/conf/logging.properties 07-May-2025 15:49:45.346 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 07-May-2025 15:49:45.346 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dsun.io.useCanonCaches=false 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/tmp/catalina-base.za409KAO0O 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat 07-May-2025 15:49:45.347 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tmp/catalina-base.za409KAO0O/temp 07-May-2025 15:49:45.356 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.3.1] using APR version [1.7.2]. 07-May-2025 15:49:45.357 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true]. 07-May-2025 15:49:45.357 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 07-May-2025 15:49:45.364 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.13 30 Jan 2024] 07-May-2025 15:49:46.253 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 07-May-2025 15:49:46.295 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1310] milliseconds 07-May-2025 15:49:46.390 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 07-May-2025 15:49:46.391 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.104] 07-May-2025 15:49:46.424 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/tmp/catalina-base.za409KAO0O/webapps/guacamole.war] 07-May-2025 15:49:49.541 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 15:49:50.002 [main] INFO org.apache.guacamole.environment.LocalEnvironment -- GUACAMOLE_HOME is "/tmp/guacamole-home.XZkfSvMiY5". 15:49:50.227 [main] INFO org.apache.guacamole.GuacamoleServletContextListener -- Read configuration parameters from "/tmp/guacamole-home.XZkfSvMiY5/guacamole.properties". 15:49:50.229 [main] INFO org.apache.guacamole.GuacamoleServletContextListener -- Additional configuration parameters may be read from environment variables. 15:49:50.234 [main] INFO org.apache.guacamole.GuacamoleServletContextListener -- Additional configuration parameters may be read from files pointed to by "*_FILE" environment variables. 15:49:50.237 [main] INFO org.apache.guacamole.rest.auth.HashTokenSessionMap -- Sessions will expire after 60 minutes of inactivity. 15:49:50.443 [main] INFO org.apache.guacamole.log.LogModule -- Logging will be at the "info" level. 15:49:51.101 [main] INFO o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be loaded in order of decreasing priority: 15:49:51.102 [main] INFO o.a.g.extension.ExtensionModule - - [ban] "Brute-force Authentication Detection/Prevention" (/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-ban.jar) 15:49:51.102 [main] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-jdbc-postgresql-1.6.0.jar) 15:49:51.102 [main] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-jdbc-postgresql.jar) 15:49:51.102 [main] INFO o.a.g.extension.ExtensionModule - - [totp] "TOTP TFA Authentication Backend" (/tmp/guacamole-home.XZkfSvMiY5/extensions/guacamole-auth-totp.jar) 15:49:51.102 [main] INFO o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their filenames. 15:49:51.136 [main] INFO o.a.g.a.b.BanningAuthenticationListener - Addresses will be automatically banned for 300 seconds after 5 failed authentication attempts. Up to 10485760 unique addresses will be tracked/banned at any given time. 15:49:51.207 [main] INFO o.a.g.extension.ExtensionModule - Extension "Brute-force Authentication Detection/Prevention" (ban) loaded. 15:49:52.851 [main] INFO o.a.g.extension.ExtensionModule - Extension "PostgreSQL Authentication" (postgresql) loaded. 15:49:54.114 [main] INFO o.a.g.extension.ExtensionModule - Extension "PostgreSQL Authentication" (postgresql) loaded. 15:49:54.423 [main] INFO o.a.g.extension.ExtensionModule - Extension "TOTP TFA Authentication Backend" (totp) loaded. 15:49:54.616 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... 15:49:54.839 [main] INFO o.a.g.event.EventLoggingListener - The Apache Guacamole web application has started. 15:49:55.568 [main] WARN o.g.jersey.server.wadl.WadlFeature - JAXBContext implementation could not be found. WADL feature is disabled. 07-May-2025 15:49:56.136 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/tmp/catalina-base.za409KAO0O/webapps/guacamole.war] has finished in [9,711] ms 07-May-2025 15:49:56.141 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 07-May-2025 15:49:56.178 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [9881] milliseconds 15:50:29.341 [http-nio-8080-exec-1] INFO o.a.g.a.b.s.InMemoryAuthenticationFailureTracker - Authentication has failed for address "10.x.x.x" (current total failures: 1/5). 15:50:29.342 [http-nio-8080-exec-1] WARN o.a.g.event.EventLoggingListener - Authentication attempt from [10.x.x.x, 10.x.x.x] for user "guacadmin" failed: Provided TOTP code is not valid. (rejected by "totp")
