Nevermind,
The guacamole.properties has a trailing white space after the URL Thank You Sean Hulbert Founder / CEO Work Ph: 925.663.5565 Security Centric Inc. A Cybersecurity Virtualization Enablement Company StormCloud Gov, Protected CUI Environment! FedRAMP MIL4 in process System Award Management CAGE: 8AUV4 AFCEA San Francisco Chapter President If you have heard of a hacker by name, he/she has failed, fear the hacker you haven't heard of! CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication. igitur qui desiderat pacem, praeparet bellum!!! Epitoma Rei Militaris From: Sean Hulbert [mailto:shulb...@securitycentric.net.INVALID] Sent: Saturday, March 25, 2023 12:27 AM To: user@guacamole.apache.org Subject: DUO token issues Hello, So I have only the DUO Jar in the extensions folder and my guacamole.properties have the following mysql-hostname: localhost mysql-port: 3306 mysql-database: SOMEDB mysql-username: SOMEUSER mysql-password: SOMEPASSWORD mysql-user-password-min-length: 12 mysql-user-password-min-age: 7 mysql-user-password-max-age: 60 mysql-user-password-history-size: 6 mysql-user-password-require-multiple-case: true mysql-user-password-require-symbol: true mysql-user-password-require-digit: true mysql-user-password-prohibit-username: true mysql-server-timezone: America/Los_Angeles totp-issuer: Internal-NAMEHERE totp-mode: sha512 api-session-timeout: 5 duo-api-hostname: api-xxxxxxx.duosecurity.com duo-integration-key: CLIENT ID FROM DUO HERE duo-secret-key: SECRET FROM DUO HERE duo-application-key: GENERATED ON GUACAMOLE USING PWGEN 40 1 I get this error LOGIN.INFO_DUO_AUTH_REQUIRED Permissions are set correctly I set it to the as my TOTP jar when it was in the extension directory. I did change MySQL daemon to use loopback on both bind-address and mysqlx-bind-address, could this be an issue? LOGS: localhost_access_log.2023-03-25.txt 127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET /duo/api/session/data/mysql/connectionGroups/ROOT/tree HTTP/1.1" 200 1188 127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET /duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200 248 127.0.0.1 - - [25/Mar/2023:00:00:02 -0700] "GET /duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2 127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/users/USERACCOUNTHERE HTTP/1.1" 200 380 127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396 127.0.0.1 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2 127.0.0.1 - - [25/Mar/2023:00:18:01 -0700] "DELETE /duo/api/session HTTP/1.1" 403 192 127.0.0.1 - - [25/Mar/2023:00:18:02 -0700] "POST /duo/api/tokens HTTP/1.1" 403 257 127.0.0.1 - - [25/Mar/2023:00:18:18 -0700] "POST /duo/api/tokens HTTP/1.1" 403 616 127.0.0.1 - - [25/Mar/2023:00:18:23 -0700] "POST /duo/api/tokens HTTP/1.1" 400 201 catalina.out [2023-03-24 23:59:35] [info] 23:59:35.793 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... [2023-03-24 23:59:37] [info] 23:59:37.574 [main] WARN o.g.jersey.server.wadl.WadlFeature - JAXBContext implementation could not be found. WADL feature is disabled. [2023-03-24 23:59:38] [info] Deployment of web application archive [/var/lib/tomcat9/webapps/duo.war] has finished in [13,607] ms [2023-03-24 23:59:38] [info] Deploying web application directory [/var/lib/tomcat9/webapps/ROOT] [2023-03-24 23:59:39] [info] At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. [2023-03-24 23:59:39] [info] Deployment of web application directory [/var/lib/tomcat9/webapps/ROOT] has finished in [1,450] ms [2023-03-24 23:59:39] [info] Starting ProtocolHandler ["http-nio-8080"] [2023-03-24 23:59:39] [info] Server startup in [15347] milliseconds [2023-03-24 23:59:40] [info] Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary. [2023-03-25 00:00:01] [info] 00:00:01.456 [http-nio-8080-exec-8] INFO o.a.g.r.auth.AuthenticationService - User "USERACCOUNTHERE" successfully authenticated from [172.16.8.2, 127.0.0.1]. guac_access.log 172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET /duo/api/session/data/mysql-shared/self/effectivePermissions HTTP/1.1" 200 248 "http://internal2.domainname.net/duo/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" 172.16.8.2 - - [25/Mar/2023:00:00:02 -0700] "GET /duo/api/session/data/mysql-shared/activeConnections HTTP/1.1" 200 2 "http://internal2. domainname.net/duo/ <http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" 172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/users/USERACCOUNT HTTP/1.1" 200 380 "http://internal2. domainname.net/duo/ <http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" 172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/activeConnections HTTP/1.1" 200 2 "http://internal2. domainname.net/duo/ <http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" 172.16.8.2 - - [25/Mar/2023:00:00:03 -0700] "GET /duo/api/session/data/mysql/self/effectivePermissions HTTP/1.1" 200 396 "http://internal2. domainname.net/duo/ <http://internal2.%20domainname.net/duo/> " "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" error.log 2023-03-25T06:04:55.313186Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL. 2023-03-25T06:08:26.630978Z 0 [System] [MY-013172] [Server] Received SHUTDOWN from user <via user signal>. Shutting down mysqld (Version: 8.0.32). 2023-03-25T06:08:27.653730Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.32) MySQL Community Server - GPL. 2023-03-25T06:08:28.254101Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.32) starting as process 1127 2023-03-25T06:08:28.280025Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started. 2023-03-25T06:08:28.929874Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended. 2023-03-25T06:08:29.491066Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed. 2023-03-25T06:08:29.491304Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel. 2023-03-25T06:08:29.621014Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '127.0.0.1' port: 33060, socket: /var/run/mysqld/mysqlx.sock 2023-03-25T06:08:29.621889Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL. Thoughts?