Re: How-to - Guacamole with Google Authenticator for 2FA

2017-10-01 Thread Nick Couchman 
>
> My impression of CAS is that it is notoriously difficult to get working
> due to it's relative paucity of documentation / sample configurations, and
> its development / release ethos.  On that basis, any write-up would benefit
> CAS even more than Guacamole!
>
>
Yes, I've set it up several times, and, while I'm better at it, I still
have trouble getting all of the options, syntax, etc., correct due to the
lack of documentation that does not assume an intimate knowledge of the
source code and the lack of comprehensive examples.


> The good news regarding TOTP 2FA is that if you look at GUACAMOLE-96
> , there may be some
> good news soon enough.
>
>
Yeah, I hope we can produce something that brings the capability into the
product, even if it supported by external authentication mechanisms.  I
also have a RADIUS module currently going through the review process and,
someday, I hope that'll finish the review process and be available, as
well.  Getting 2FA set up in RADIUS isn't too bad, especially with things
like LOTP.

-Nick

Re: How-to - Guacamole with Google Authenticator for 2FA

2017-10-01 Thread David Bonnes 
Thanks,

For anyone trying, I should warn you that *cas.authn.jdbc.encode* doesn't
look compatible with the salted SHA-256 passwords as stored in Guacamole's
guacamole_db (which is why I used
*cas.authn.jdbc.query[0].fieldPassword=username* (i.e. username rather than
password) for my test-bed; in theory, *cas.authn.jdbc.encode* should works
with a NULL salt, but I couldn't get that working either (I thought maybe
due to upper/lowercase mismatch of hex strings?).

My impression of CAS is that it is notoriously difficult to get working due
to it's relative paucity of documentation / sample configurations, and its
development / release ethos.  On that basis, any write-up would benefit CAS
even more than Guacamole!

The good news regarding TOTP 2FA is that if you look at GUACAMOLE-96
, there may be some
good news soon enough.


On Sun, 1 Oct 2017 at 02:21 Nick Couchman  wrote:

> David,
> Thanks for the fantastic write-up!  I think using CAS only for Guacamole
> 2FA is probably overkill for most folks, but if you're already using CAS or
> want CAS for 2FA for other stuff, and want to integrate Guacamole into it,
> this is great.  I'll try to take a look at your write-up in detail and
> provide some suggested edits for it.  Don't know exactly where the best
> place to post it would be, but I definitely think it should be made
> available!  I think it probably should be made available to a wider
> audience than just the Guacamole folks, as I think it's probably useful for
> folks who want to do 2FA with CAS, in general.
>
> -Nick
>
> On Fri, Sep 29, 2017 at 6:09 PM, David Bonnes  wrote:
>
>> For humor, I set up a Apereo CAS server as a means to use gauth/TOTP as a
>> second-factor for authenticating with guacmole.  It was working 100%, but
>> personally, I'll be sticking with DUO for now.  However, I think some
>> people would want this feature.
>>
>> I really think the method I used needs writing up somewhere for the
>> benefit of the community (and doubtless for them to improve), but I am not
>> the person to do that...
>>
>> Is someone willing to edit my notes, and post a nice tutorial somewhere?
>> For the right person (i.e. some evidence you'll write up a nice how-to), I
>> am willing to take some time to explain what worked, what didn't, and why.
>>
>> If not, and in any case, here is the bulk of my notes/scripts...
>>
>>
>> #!/bin/bash
>>
>> 
>> #0. Confirm that Guacamole is working with MySQL (have something in the
>> profile)
>> #1. Test basic config of CAS via CAS - need to set log folder
>> #2. Switch to static account (same name as one in 0.) via CAS - consider
>> SHA256 encoding
>> #3. Test auth through guacuamole - should see profile (will need service
>> registry)
>> #4. Switch to jdbc auth (QUERY) on CAS - (may need to set permission for
>> guac_username) - can test auth-d via cas logon page first
>> #5. As above, but with Gauth
>>
>> 
>>
>>
>> 
>> ## Install CAS webapp via the overlay method
>> # can change  in pom.xml for other versions...
>>   mkdir /opt; cd /opt
>>   git clone -b 5.2 https://github.com/apereo/cas-overlay-template cas
>>   cd cas
>>   chmod a+x build.sh
>>
>>
>>
>>
>>
>> 
>> # To eliminate: "Non-secure Connection" warning, add secure="true" to
>> 8080 of /var/lib/tomcat8/conf/server.xml
>>
>> ### ./etc/cas/config/log4j2.xml: set > name="cas.log.dir">/var/log/tomcat8
>>   sed -i -e '/"cas.log.dir"/ s:>.*<:>/var/log/tomcat8<:'
>> etc/cas/config/log4j2.xml
>>   mkdir -p /etc/cas/logs; chmod a+w /etc/cas/logs
>>
>> ### ./pom.xml - will need this eventually
>> #   5.2.0-RC4-SNAPSHOT
>>
>> ## ./etc/cas/config/cas.properties
>> ## Enable logging...
>>   logging.level.org.apereo: TRACE
>>   logging.config: file:/etc/cas/config/log4j2.xml
>>
>> ## Set CAS server name URL...
>>   cas.server.name:   https://vm-builder.home:8443
>>   cas.server.prefix: ${cas.server.name}/cas
>>
>> ## Enable basic admin pages...
>>   cas.adminPagesSecurity.ip=172\.27\.0\.99
>>   cas.monitor.endpoints.enabled=true
>>   cas.monitor.endpoints.sensitive=false
>>
>>
>>
>>
>> 
>>
>>
>> service tomcat8 stop
>> rm/var/log/tomcat8/*; rm /etc/cas/logs/*
>> rm -r /var/lib/tomcat8/webapps/cas; rm /var/lib/tomcat8/webapps/cas.war
>> ./build.sh package
>> cp /opt/cas/target/cas.war /var/lib/tomcat8/webapps
>> cp -

Re: How-to - Guacamole with Google Authenticator for 2FA

2017-09-30 Thread Nick Couchman 
David,
Thanks for the fantastic write-up!  I think using CAS only for Guacamole
2FA is probably overkill for most folks, but if you're already using CAS or
want CAS for 2FA for other stuff, and want to integrate Guacamole into it,
this is great.  I'll try to take a look at your write-up in detail and
provide some suggested edits for it.  Don't know exactly where the best
place to post it would be, but I definitely think it should be made
available!  I think it probably should be made available to a wider
audience than just the Guacamole folks, as I think it's probably useful for
folks who want to do 2FA with CAS, in general.

-Nick

On Fri, Sep 29, 2017 at 6:09 PM, David Bonnes  wrote:

> For humor, I set up a Apereo CAS server as a means to use gauth/TOTP as a
> second-factor for authenticating with guacmole.  It was working 100%, but
> personally, I'll be sticking with DUO for now.  However, I think some
> people would want this feature.
>
> I really think the method I used needs writing up somewhere for the
> benefit of the community (and doubtless for them to improve), but I am not
> the person to do that...
>
> Is someone willing to edit my notes, and post a nice tutorial somewhere?
> For the right person (i.e. some evidence you'll write up a nice how-to), I
> am willing to take some time to explain what worked, what didn't, and why.
>
> If not, and in any case, here is the bulk of my notes/scripts...
>
>
> #!/bin/bash
> 
> 
> #0. Confirm that Guacamole is working with MySQL (have something in the
> profile)
> #1. Test basic config of CAS via CAS - need to set log folder
> #2. Switch to static account (same name as one in 0.) via CAS - consider
> SHA256 encoding
> #3. Test auth through guacuamole - should see profile (will need service
> registry)
> #4. Switch to jdbc auth (QUERY) on CAS - (may need to set permission for
> guac_username) - can test auth-d via cas logon page first
> #5. As above, but with Gauth
> 
> 
>
> 
> 
> ## Install CAS webapp via the overlay method
> # can change  in pom.xml for other versions...
>   mkdir /opt; cd /opt
>   git clone -b 5.2 https://github.com/apereo/cas-overlay-template cas
>   cd cas
>   chmod a+x build.sh
>
>
>
>
> 
> 
> # To eliminate: "Non-secure Connection" warning, add secure="true" to 8080
> of /var/lib/tomcat8/conf/server.xml
>
> ### ./etc/cas/config/log4j2.xml: set /var/log/
> tomcat8
>   sed -i -e '/"cas.log.dir"/ s:>.*<:>/var/log/tomcat8<:'
> etc/cas/config/log4j2.xml
>   mkdir -p /etc/cas/logs; chmod a+w /etc/cas/logs
>
> ### ./pom.xml - will need this eventually
> #   5.2.0-RC4-SNAPSHOT
>
> ## ./etc/cas/config/cas.properties
> ## Enable logging...
>   logging.level.org.apereo: TRACE
>   logging.config: file:/etc/cas/config/log4j2.xml
>
> ## Set CAS server name URL...
>   cas.server.name:   https://vm-builder.home:8443
>   cas.server.prefix: ${cas.server.name}/cas
>
> ## Enable basic admin pages...
>   cas.adminPagesSecurity.ip=172\.27\.0\.99
>   cas.monitor.endpoints.enabled=true
>   cas.monitor.endpoints.sensitive=false
>
>
>
> 
> 
>
>
> service tomcat8 stop
> rm/var/log/tomcat8/*; rm /etc/cas/logs/*
> rm -r /var/lib/tomcat8/webapps/cas; rm /var/lib/tomcat8/webapps/cas.war
> ./build.sh package
> cp /opt/cas/target/cas.war /var/lib/tomcat8/webapps
> cp -r etc/cas/ /etc
> service tomcat8 restart
> tail -f /var/log/tomcat8/catalina.out
>
>
> 
> 
> # see: https://apereo.github.io/cas/5.1.x/installation/Whitelist-
> Authentication.html
>
>
> ### ./etc/cas/config/cas.properties
> ## A whitelist of users (use SHA-256 password hash)...
> # cas.authn.accept.users=dbonnes::P@ssw0rd
>   cas.authn.accept.users=dbonnes::d61bcb77d84080738bd5993b18
> 1400992e8c272b372bb4e33522427936
>   cas.authn.accept.passwordEncoder.type=DEFAULT
>   cas.authn.accept.passwordEncoder.characterEncoding=UTF-8
>   cas.authn.accept.passwordEncoder.encodingAlgorithm=SHA-256
>
>
>
> 
> 
> # see: https://groups.google.com/a/apereo.org/forum/#!topic/cas-
> user/jJ8OOyoQoBw
>
> ### ./pom.xml
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${c