{"id":849,"date":"2024-11-07T21:54:35","date_gmt":"2024-11-08T03:54:35","guid":{"rendered":"https:\/\/thecweb.com\/?p=849"},"modified":"2024-11-08T02:04:21","modified_gmt":"2024-11-08T08:04:21","slug":"guacamole-road-to-mfa-db-auth","status":"publish","type":"post","link":"https:\/\/thecweb.com\/index.php\/2024\/11\/07\/guacamole-road-to-mfa-db-auth\/","title":{"rendered":"Guacamole – Road to MFA – DB auth"},"content":{"rendered":"\n

I’ve decided with all the convience features I’ve got setup on the computers I remote into, that I should probably attempt to setup TOTP<\/a> on the site to improve the security of the system. The password and username I use hasn’t been involved in any leaks that I know of, and both are unique to the site, plus you’d need the passwords to the actual computers too, but I figure it’s better safe than sorry.<\/p>\n\n\n\n

The first step is to configure a database authentication extension<\/a>. One nice thing about this change is that it will allow me to modify connections and user settings in the web interface, instead of connecting to SSH and modifying an XML file, and then restarting guacd. <\/p>\n\n\n\n

The first step is to install the JDBC connector for mysql, which went without a hitch with<\/p>\n\n\n\n

sudo apt install \/media\/store\/mysql-connector-j_9.1.0-1ubuntu24.04_all.deb<\/code><\/pre>\n\n\n\n
Now to create the database, which they are providing scripts to create the schema which saves a whole lot of copy\/pasting.  So, sign into mysql as root, create the DB, and import the schema.<\/p>\n\n\n\n
cweb@thecweb:\/media\/store\/mysql$ sudo mysql -u root\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 3362\nServer version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)\n\nCopyright (c) 2000, 2024, Oracle and\/or its affiliates.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> CREATE DATABASE guacamole_db;<\/strong>\nQuery OK, 1 row affected (0.01 sec)\n\nmysql> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| cwOLzion           |\n| guacamole_db <\/strong>      |\n| information_schema |\n| mysql              |\n| performance_schema |\n| sys                |\n| wordpress          |\n+--------------------+\n7 rows in set (0.00 sec)\n\nmysql> quit\nBye\ncweb@thecweb:\/media\/store\/mysql$ cat schema\/*.sql | sudo mysql -u root guacamole_db\ncweb@thecweb:\/media\/store\/mysql$<\/code><\/pre>\n\n\n\n
Create the DB user.<\/p>\n\n\n\n
cweb@thecweb:\/media\/store\/mysql$ sudo mysql -u root\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 3371\nServer version: 8.0.39-0ubuntu0.24.04.2 (Ubuntu)\n\nCopyright (c) 2000, 2024, Oracle and\/or its affiliates.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '****';<\/strong>\nQuery OK, 0 rows affected (0.02 sec)\n\nmysql> GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';<\/strong>\nQuery OK, 0 rows affected (0.01 sec)\n\nmysql> FLUSH PRIVILEGES;<\/strong>\nQuery OK, 0 rows affected (0.00 sec)<\/code><\/pre>\n\n\n\n
Seems like that went welll, so copying over the JDBC driver and guac extension.<\/p>\n\n\n\n
cweb@thecweb:\/media\/store\/mysql$ sudo cp guacamole-auth-jdbc-mysql-1.5.5.jar \/etc\/guacamole\/extensions\/<\/strong>\ncweb@thecweb:\/usr\/share\/java$ sudo mkdir \/etc\/guacamole\/extensions\/lib<\/strong>\ncweb@thecweb:\/usr\/share\/java$ sudo cp mysql-connector-j-9.1.0.jar \/etc\/guacamole\/extensions\/lib\/<\/strong><\/code><\/pre>\n\n\n\n
No surprises there, but I’m going to heed this warning message about restarting guac, because I’m at work and I don’t want to kill my session if I have something configured or installed incorrectly.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It’s config time<\/h2>\n\n\n\n
\"\"
not sure this really applies since I’ve been using vi since the late 1900s<\/figcaption><\/figure>\n\n\n\n
The basic config is just telling guacd how to connect to the DB, so we just need to specify the DB server, DB, user, and password.  So creating the \/etc\/guacamole\/guacamole.properties and adding that info.<\/p>\n\n\n\n
# MySQL properties\nmysql-hostname: localhost\nmysql-database: guacamole_db\nmysql-username: guacamole_user\nmysql-password: ******<\/code><\/pre>\n\n\n\n
And that is it for now.  I need to restart the servlet, which will disconnect me, and if I configured things incorrect, also prevent me from signing back in.  I’m going to research cooking a turkey for now, and maybe later I will see if this is working.  I can always poke holes in the firewall for SSH, and forward port 22, but I’d rather not just because of the immediate hacking attacks that will likely insue.  <\/p>\n\n\n\n
Part 2<\/h2>\n\n\n\n
Ok, I got bored with reddit so I poked some holes for SSH and restarted everything, and it came back up fine.  Looking at \/var\/log\/auth.log, I was a little surprised to find my paranoia was unfounded and I didn’t see a single authentication attempt during the five minutes my stupid little SSH server was accessible from the internet.  Though, I guess it’s pretty unlikely that I would happened to be scanned during that short amount of time.<\/p>\n\n\n\n
Now for the bad news…  I can’t sign in with the guacadmin account it supposedly created in the DB.  To the log files!<\/p>\n\n\n\n
I checked the mysql log first, and found not connection attempts.  I then checked the tomcat logs and found that the JDBC driver is not loading for some reason.<\/p>\n\n\n\n
[2024-11-08 06:41:39] [info] 06:41:39.629 [main] ERROR o.a.g.extension.ProviderFactory - authentication provider extension failed to start: No JDBC driver for MySQL\/MariaDB is installed.<\/code><\/pre>\n\n\n\n
So I first go to check permissions on the file and realize that I copied the jar file to \/etc\/guacamole\/extensions\/lib instead of \/etc\/guacamole\/lib, so fixing that and restarting everything again. <\/p>\n\n\n\n
And it works!  I had to recreate my user account and all the connections, but it was a lot easier with the admin GUI.  <\/p>\n\n\n\n
\"\"
Fancy that!<\/em><\/figcaption><\/figure>\n\n\n\n
Taking another break to read about TOTP setup and reddit.<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve decided with all the convience features I’ve got setup on the computers I remote into, that I should probably attempt to setup TOTP on the site to improve the security of the system. The password and username I use hasn’t been involved in any leaks that I know of, and both are unique to […]<\/p>\n","protected":false},"author":1,"featured_media":857,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[17,14,15],"class_list":["post-849","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-guacamole","tag-linux","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/posts\/849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/comments?post=849"}],"version-history":[{"count":4,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/posts\/849\/revisions"}],"predecessor-version":[{"id":858,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/posts\/849\/revisions\/858"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/media\/857"}],"wp:attachment":[{"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/media?parent=849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/categories?post=849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecweb.com\/index.php\/wp-json\/wp\/v2\/tags?post=849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}