mmcclaskey
commented
10 months ago Per the TOTP protocol, the time needs to be synchronized between both the client and the server. The way that TOTP works (over simplified) is that the client and server share a long secret key, a shared idea of what time it is, and they use those two pieces of information to produce a code. They should both produce the same 6 to 8 digit code each time, as long as both the time and secret keys match. Thus, the time needs to be accurate on both sides. The token drift does allow you to accommodate some natural drift between client and server times. This was added for supporting physical TOTP tokens, which have no way to sync time and use a cheap Crystal oscillator to track time, which can drift up to a few minutes per year. Computers and phones using a soft TOTP token have the advantage of using NTP or other methods to synchronize time.
All that said, I think it is working exactly as designed. If time synchronization is an issue, you would want to use an alternate 2FA approach. With 1.15.0 we will support webauthn, so Windows hello, Apple TouchID, yubi keys, etc. Alternatively you can use an SAML or OIDC identity provider like Keycloak, if Kasm's built in 2fa support does not meet your specific requirements.
Describe the bug 2fa for kasm single server seems to sync to the host not the server.
To Reproduce I have 2fa turned on. I'm running ubuntu on a hetzner server. The server has ntp enabled and active with the correct time. I'm then on a Windows host using Edge to connect to my kasm instance. The time is incorrect on the windows host by 4 minutes. I cannot login as the token is incorrect. I then go to another host with the correct time. I login to kasm just fine.
Workspaces Version Version 1.14
Workspaces Installation Method Single Server
Client Browser (please complete the following information):
Workspace Server Information (please provide the output of the following commands):
uname -aLinux ubuntu-4gb-ash-1 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/os-releasePRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
sudo docker infoClient: Docker Engine - Community Version: 24.0.7 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.11.2 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.5.0 Path: /usr/local/lib/docker/cli-plugins/docker-composeServer: Containers: 9 Running: 9 Paused: 0 Stopped: 0 Images: 30 Server Version: 24.0.7 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f runc version: v1.1.10-0-g18a0cb0 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 5.15.0-89-generic Operating System: Ubuntu 22.04.3 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.566GiB Name: ubuntu-4gb-ash-1 ID: KG72:6VOV:5TXS:C3ZQ:SOQ6:6JDS:NHKL:UB5D:MN3O:Q7T3:TL73:RZLJ Docker Root Dir: /var/lib/docker Debug Mode: false Username: youcannothavemyusername Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
sudo docker ps | grep kasmsudo docker ps | grep kasm e71cbffe02ed kasmweb/ubuntu-jammy-desktop:1.14.0 "/dockerstartup/kasm…" 12 minutes ago Up 12 minutes 4901/tcp, 5901/tcp, 6901/tcp youcannothavemyusername_012c6d18 7ec936784205 kasmweb/nginx:1.25.1 "/docker-entrypoint.…" 3 months ago Up 35 minutes 80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp kasm_proxy bb03ba9a62fb kasmweb/agent:1.14.0 "/bin/sh -c '/usr/bi…" 3 months ago Up 35 minutes (healthy) 4444/tcp kasm_agent 9cf0550fc492 kasmweb/share:1.14.0 "/bin/sh -c '/usr/bi…" 3 months ago Up 35 minutes (healthy) 8182/tcp kasm_share d5d33cf59e3f kasmweb/manager:1.14.0 "/bin/sh -c '/usr/bi…" 3 months ago Up 35 minutes (healthy) 8181/tcp kasm_manager 4974a04927c6 kasmweb/kasm-guac:1.14.0 "/dockerentrypoint.sh" 3 months ago Up 35 minutes (healthy) kasm_guac e488179c17fd kasmweb/api:1.14.0 "/bin/sh -c '/usr/bi…" 3 months ago Up 35 minutes (healthy) 8080/tcp kasm_api df5ece790ebe redis:5-alpine "docker-entrypoint.s…" 3 months ago Up 35 minutes 6379/tcp kasm_redis 00e4838c35d4 postgres:12-alpine "docker-entrypoint.s…" 3 months ago Up 35 minutes (healthy) 5432/tcp kasm_db