Uploaded image for project: 'Apache Guacamole - Contributions'
  1. Apache Guacamole - Contributions
  2. GUAC-1634

Selectively fall through to other extensions when authentication fails

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Done
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: guacamole
    • Labels:
    • Sprint:
      DEV 2018-08-11
    • Story Points:
      3

      Description

      Currently, Guacamole's authentication extensions will explicitly fail with exceptions when upstream server expectations fail, such as when the LDAP server goes down, the MySQL / PostgreSQL database becomes unavailable, etc. If this happens, processing of other extensions halts (as any exceptions aborts the authentication process), and it becomes impossible to log into Guacamole until the problem is resolved.

      While it made sense for LDAP and other extensions to abort authentication entirely in cases back when Guacamole could only use one authentication mechanism at a time, there is no need for this to still be the case. Servers with multiple authentication mechanisms enabled should be able to rely on remaining mechanisms to succeed if one mechanism goes down.

      Specifically:

      1. Multi-factor authentication extensions (currently Duo and TOTP) should always either 100% work or block authentication entirely (failure of the secondary authentication factor shouldn't result in the removal of that factor, as that would present a security problem).
      2. Normal authentication extensions (LDAP, MySQL, PostgreSQL, etc.) should log failures but otherwise behave as if the extension is not installed, thus allowing other authentication mechanisms to continue working.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mike.jumper Michael Jumper
              Reporter:
              mike.jumper Michael Jumper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: