[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16307549#comment-16307549 ]
David Bonnes edited comment on GUACAMOLE-96 at 1/1/18 8:36 PM: --------------------------------------------------------------- This is fantastic, thanks! It worked for me, on the first attempt, using MySQL and Authenticator Plus ([https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en_GB]). If anyone is interested, my setup consists of four Ubuntu-based LXC containers (nginx, tomcat/guac-client, guac-daemon, and mysql); all I did was replace the old tomcat LXC with a new one, and added a separate Guacamole DB on the MySQL server. Let me know if I can help with any testsing. was (Author: dbonnes): This is fantastic, thanks! It worked for me, on the first attempt, using MySQL and Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en_GB). If anyone is interested, my setup consists of four Ubuntu-based LXC containers (nginx, tomcat/guac-client, guac-daemon, and mysql); all I did was replace the old tomcat LXC with a new one, and added a separate Guacamole DB on the MySQL server. Let me know if I can help with any testsing. > Two factor authentication with Google Authenticator > --------------------------------------------------- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client > Reporter: L.J. van Ruiten > Assignee: Michael Jumper > Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)