On 11/7/2023 3:25 AM, Antoine Besnier wrote:
Hi,
I have a feature request, but before opening a probably useless JIRA
issue, I'd like to discuss this here.
Let's assume that TOTP is activated and an user wants to change his TOTP
device, or wants to use different apps, for example one on their phone
and one on their computer.
In Guacamole, once the TOTP secret has been confirmed, the only way to
show it again is to go to the database and query it with something like
SELECT * FROM guacamole_user_attribute WHERE
attribute_name='guac-totp-key-secret' AND user_id = (SELECT entity_id
FROM guacamole_entity WHERE name = 'username' AND type ='USER'); or
SELECT guacamole_user.user_id, guacamole_user.entity_id, name,
attribute_value FROM
guacamole_entity,guacamole_user,guacamole_user_attribute WHERE
guacamole_user_attribute.user_id = guacamole_user.user_id AND
guacamole_user.entity_id = guacamole_entity.entity_id AND attribute_name
= 'guac-totp-key-secret' and name like 'username'; which first, is not
avaible to generic users, and two, requires you to know the database schema.
Or to ask an admin to reset the TOTP confirmation, and make sure you
have all your devices ready when re-enrolling.
Would it be practical to have the option to show the secret key
somewhere, probably in the Settings > Preference tab, only for the
currently logged in user of course?
I am an amateur user, and use Guacamole on a home network. What would be
the larger implications if the secret key could be displayed?
In my opinion, because username/password is something-you-know, and TOTP
is something-you-have, and because you need both to log in, I don't
believe begin able to see the secret key when you are already logged in
is big security issue.
That's certainly true for the process of authenticating, but once that
process has completed I don't believe the same logic applies.
Consider the process of changing your password within Guacamole. Like
most other applications that provide username/password auth, we require
that the user re-prove that they know their current password before
allowing them to change it (even though they have previously proven your
identity by authenticating). Doing otherwise would open up the
possibility of another user coming across an active session on an
unlocked computer and stealing access to that account.
By that same logic, a user should not be able to retrieve their own TOTP
secret, as doing so would make it easier for a malicious user to
opportunistically steal an authorized user's TOTP secret.
If a user doesn't know their current password and still must change it,
the path forward is to reach out to an admin (or temporarily switch to
an admin account), as a user with system administration permissions in
Guacamole can reset other users' passwords as needed.
The same is true for TOTP: if you need your secret, or you need to
generate an entirely new secret, there are fields in the UI that allow
the administrator to either force you to re-enroll your device (without
generating a new secret) or to completely clear and regenerate the secret.
- Mike
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
