Invalid Login After Creating A Second User

[ghost]

Describe Your Problem:

I've been using this container successfully for the past year or so, I created my wife as a second user, now my user says "Invalid Login"

Logs:

13-Dec-2023 02:46:00.489 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.65
13-Dec-2023 02:46:00.496 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Jul 14 2022 12:28:53 UTC
13-Dec-2023 02:46:00.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.65.0
13-Dec-2023 02:46:00.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
13-Dec-2023 02:46:00.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.10.0-26-amd64
13-Dec-2023 02:46:00.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
13-Dec-2023 02:46:00.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
13-Dec-2023 02:46:00.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.16+8
13-Dec-2023 02:46:00.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
13-Dec-2023 02:46:00.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
13-Dec-2023 02:46:00.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
13-Dec-2023 02:46:00.549 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
13-Dec-2023 02:46:00.549 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
13-Dec-2023 02:46:00.549 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
13-Dec-2023 02:46:00.549 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
13-Dec-2023 02:46:00.550 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
13-Dec-2023 02:46:00.550 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
13-Dec-2023 02:46:00.550 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
13-Dec-2023 02:46:00.550 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
13-Dec-2023 02:46:00.550 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
13-Dec-2023 02:46:00.551 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
13-Dec-2023 02:46:00.551 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
13-Dec-2023 02:46:00.551 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
13-Dec-2023 02:46:00.551 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
13-Dec-2023 02:46:00.551 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
13-Dec-2023 02:46:00.599 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.7.0].
13-Dec-2023 02:46:00.599 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
13-Dec-2023 02:46:00.600 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
13-Dec-2023 02:46:00.634 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1n  15 Mar 2022]
13-Dec-2023 02:46:01.624 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
13-Dec-2023 02:46:01.711 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1847] milliseconds
13-Dec-2023 02:46:01.834 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
13-Dec-2023 02:46:01.834 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.65]
13-Dec-2023 02:46:01.872 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/tomcat/webapps/ROOT.war]
13-Dec-2023 02:46:04.666 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
02:46:05.242 [main] INFO  o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/config/guacamole".
02:46:05.392 [main] INFO  o.a.g.GuacamoleServletContextListener - Read configuration parameters from "/config/guacamole/guacamole.properties".
02:46:05.394 [main] INFO  o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity.
02:46:06.131 [main] INFO  o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be loaded in order of decreasing priority:
02:46:06.131 [main] INFO  o.a.g.extension.ExtensionModule -  - [postgresql] "PostgreSQL Authentication" (/config/guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.3.jar)
02:46:06.131 [main] INFO  o.a.g.extension.ExtensionModule -  - [totp] "TOTP TFA Authentication Backend" (/config/guacamole/extensions/guacamole-auth-totp-1.5.3.jar)
02:46:06.131 [main] INFO  o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their filenames.
02:46:07.699 [main] INFO  o.a.g.extension.ExtensionModule - Extension "PostgreSQL Authentication" (postgresql) loaded.
02:46:07.972 [main] INFO  o.a.g.extension.ExtensionModule - Extension "TOTP TFA Authentication Backend" (totp) loaded.
02:46:08.149 [main] INFO  o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
02:46:09.056 [main] WARN  o.g.jersey.server.wadl.WadlFeature - JAXBContext implementation could not be found. WADL feature is disabled.
13-Dec-2023 02:46:09.484 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/tomcat/webapps/ROOT.war] has finished in [7,612] ms
13-Dec-2023 02:46:09.491 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
13-Dec-2023 02:46:09.537 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [7823] milliseconds

Screenshots:

Environment:

• Guacamole Version: 1.5.3
• Operating System: Docker on Debian 11 host.

[jwetzell]

Can you check that the volume for database persistence is still populated and mounted to the container correctly?

[ghost]

It is, has not changed. I can log in as her, but not myself.

[jwetzell]

hmmm, I do see the TOTP extension is loaded not sure that would be it. Have you tried changing the problem accounts password from the new account or does the new account not have sufficient privilege. I just tested on my own instance of 1.5.3 and no issue creating multiple users and logging in as all of them.

[ghost]

New user is not admin, it's only got access to one vm, so when you log in and put in TOTP, it auto launches the rdp session. I tried looking at guac docs but couldn't find a good way to reset password of main account. I tried the insert user command here, but the included psql doesn't like the @ sign.

https://guacamole.apache.org/doc/gug/jdbc-auth.html#users

[jwetzell]

You could potentially try copying the salt/hash/date columns from the known working user to the "broken" user. Or querying the tables to make sure that the other user is still present and table columns look sane

[ghost]

Could you hit me with some commands? I'm not very experienced with psql.

[jwetzell]

I would have to go exploring through the database, which might have to wait until morning. Calculting the needed values to insert into gaucamole_entity shouldn't be bad. My go to site for weird calculation things like this is [CyberChef](https://cyberchef.io/#recipe=Generate_UUID()SHA2('256',64,160)) which seems to have all the necessary function (SHA, UUID, etc.) that would be needed here.

[ghost]

I tried my hand at it but it doesn't look like the included postgres has anything for handling sha/hex.

Using: SELECT decode(encode(digest(gen_random_uuid()::text, 'sha256'), 'hex'), 'hex') AS salt
function gen_random_uuid() does not exist

Using: WITH salt AS (
guacamole_db(#     SELECT decode(encode(digest(uuid_generate_v4()::text, 'sha256'), 'hex'), 'hex') AS salt
guacamole_db(# )

ERROR:  function digest(text, unknown) does not exist
LINE 2:     SELECT decode(encode(digest(uuid_generate_v4()::text, 's...
                                 ^
HINT:  No function matches the given name and argument types. You might need to add explicit type casts.

[jwetzell]

Right which is why I said one would have to "hand generate" the hex strings using a site like I linked.

[ghost]

I did that, I tried putting it in manually for the MySql that was on the site, then went to ChatGPT to give me postgres equivalent and it gave me this:

-- Ensure the uuid-ossp extension is available for UUID generation
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";

-- Create base entity entry for user
INSERT INTO guacamole_entity (name, type)
VALUES ('myuser', 'USER');

-- Create user and hash password with salt
WITH salt AS (
    SELECT decode(encode(digest(uuid_generate_v4()::text, 'sha256'), 'hex'), 'hex') AS salt
)
INSERT INTO guacamole_user (
    entity_id,
    password_salt,
    password_hash,
    password_date
)
SELECT
    e.entity_id,
    s.salt,
    decode(encode(digest(CONCAT('mypassword', encode(s.salt, 'hex')), 'sha256'), 'hex'), 'hex'),
    CURRENT_TIMESTAMP
FROM
    guacamole_entity e,
    salt s
WHERE
    e.name = 'myuser'
    AND e.type = 'USER';

But I replaced the decode stuff with the hash that was generated. Still gave me errors. At this point I'm not sure which errors go with which attempts because I've been shotgunning combinations.

[jwetzell]

If you manually generated the password_salt and password_hash (not using postgres functions just regular SHA256 generation) and inserting those into the table I'm not sure where else to go. Like I suggested before you could copy the password_salt and password_hash from the known working user to a new user or you could give the working account admin permissions using the guacamole_system_permission table as a way back in.

[ghost]

I think at this point it's just faster to delete my config directory and re-create the container. I'll do that. Thanks for the help though!

[jwetzell]

No problem, can't say I've run into this been creating/deleting users for a while but I'll poke a little more to see if there is something strange going on.