[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16649539#comment-16649539 ] Nick Couchman commented on GUACAMOLE-96: Documentation merged for this. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Fix For: 1.0.0 > > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16645625#comment-16645625 ] Michael Jumper commented on GUACAMOLE-96: - Yup. I'm finishing up the documentation for this, and then for GUACAMOLE-220. I'll try to git this particular doc done today. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Fix For: 1.0.0 > > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16645610#comment-16645610 ] Nick Couchman commented on GUACAMOLE-96: [~mike.jumper] Are you working on documentation for this? I probably could work on it, but I don't have it installed anywhere at the moment. I can do that if it would help - let me know. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Fix For: 1.0.0 > > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495983#comment-16495983 ] Todd James commented on GUACAMOLE-96: - This seems to be working pretty well, but I'd love to see an additional property: a configurable property (say "totp-disable-enrollment") that allows the administrator to disable TOTP enrollment via Guacamole. Suppose a user is logging into an internet-exposed instance of Guacamole for the first time. They will be prompted to enroll in 2FA with TOTP. If the person that logged in is not the actual user (phished password, for example), they will still gain control of the Guacamole account. This almost defeats the purpose of 2FA for first-time users. I would love to provide my users with an alternative TOTP enrollment method (which may tie into other systems, as well as modify the Guacamole database with the TOTP secret). If such an option was to be set to false by the administrator, the user might be prompted with a custom message (as a second property, say "totp-disable-enrollment-message"). Any thoughts on this? Should I open a separate issue at this point? I'm willing to write the code myself, but I'd like to hear whether or not this would be a welcomed addition. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Fix For: 1.0.0 > > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16369182#comment-16369182
]
Nick Couchman commented on GUACAMOLE-96:
{quote}
I realize I am an outsider and really late to this, but, I was wondering if
there was any way to make this not reliant on SQL authentication. I'm using
another auth plugin for PAM along side it.
{quote}
In theory, this module does not depend on the JDBC module directly. It depends
on *some* module being able to store arbitrary attributes and provide them for
the TOTP module, as required. In practice, this is only implemented in the
JDBC module today, but that doesn't mean that it has to be stored there - you'd
just have to implement some other method for storing them. The JDBC module
simply provides the mechanism for storing the information required to link a
token to a user.
Also, I believe that this module should layer with other modules, such that
users can be authenticated through one mechanism (e.g. LDAP) and then secondary
authentication takes place through the TOTP module. I haven't actually tried
it myself, but I believe that's the idea behind this module - not to totally
replace other authentication mechanisms, but to augment them.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Major
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16369170#comment-16369170 ] Tom commented on GUACAMOLE-96: -- I realize I am an outsider and really late to this, but, I was wondering if there was any way to make this not reliant on SQL authentication. I'm using another auth plugin for PAM along side it. I was able to make this work with along with PSQL database just fine, but it's going to be hard to get people in my organization on board with this. What exactly is being stored in the database that's not needed in for example, the Duo based one? Could it be in a flat file somewhere perhaps? > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352762#comment-16352762 ] Michael Jumper commented on GUACAMOLE-96: - This is now merged to master, though further changes are going to be made to modify the authentication process such that auth is denied for user accounts which cannot enroll for technical reasons (see comments on the PR: https://github.com/apache/guacamole-client/pull/247). Documentation remains, as well. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Major > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324677#comment-16324677
]
Michael Jumper commented on GUACAMOLE-96:
-
{quote}
I am having similar struggles. It almost works except I get "invalid login"
using the guacadmin account. The latest method I have tried is running this
script
(https://github.com/CountPickering/guac-install/blob/master/guac-install.sh)
that was changed to use the totp branch on an ubuntu 16.04 base install ...
{quote}
[~SuperSherpa55], we can't support arbitrary third-party install scripts. You
need to follow the official documentation for installation, specifically with
respect to building guacamole-server and guacamole-client from source. To get
the latest changes, you will need to build from the referenced git repositories.
https://guacamole.apache.org/doc/gug/installing-guacamole.html
{quote}
The error is "WARN o.a.g.e.AuthenticationProviderFacade - Authentication
attempt denied because the authentication system could not be loaded."
{quote}
You need to check your logs to see the error which is preventing the auth
system from loading. If you're unable to find the issue, I would say just hold
off for now until things are fully merged, including the necessary
documentation. You can then just follow the yet-to-be-written TOTP chapter in
the manual for setting things up.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324611#comment-16324611 ] SuperSherpa55 commented on GUACAMOLE-96: [~danielm2] I did not experience issues using CentOS 7 or Ubuntu 16.04 when compiling using maven. Maybe you are missing some devel dependencies? > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324598#comment-16324598 ] SuperSherpa55 commented on GUACAMOLE-96: I am having similar struggles. It almost works except I get "invalid login" using the guacadmin account. After running this script that was changed to use the totp branch on an ubuntu 16.04 base install I get the following errors in the catalina.out: The error is "WARN o.a.g.e.AuthenticationProviderFacade - Authentication attempt denied because the authentication system could not be loaded." which leads to "WARNING: Method [public void org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.add(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@78f727ef]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all." There may be some confusion on which extensions to use. Do I use both the guacamole-auth-jdbc-mysql and guacamole-auth-totp in the extensions directories? Are changes needed to the guacamole.properties file in order to use totp? Another way I have tried is using a known working installation of 0.9.13 and separately compiling using the totp repo and then replacing the client guaclome.war file in webapps and the guacamole-auth-top.jar in to the extensions folder afterwards restarting tomcat and guacd with no avail, invalid login with guacadmin. Also tried with a working install, stopped guacd and tomcat, then moved the complied client guacamole.war and guacamole-auth-top.jar files over, deleting and recreating the guac database and user, re-importing the .sql schemes, and then starting the services, also with no avail. All have the same invalid login issue. Any ideas? > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324385#comment-16324385 ] Daniel Moscovitch commented on GUACAMOLE-96: Thanks. I'll try to get it built and test it out I guess just a build of client and copy of the .war and extension into a test .0.913 system will be ok? Although so far I'm having errors past 1 point. guacamole-auth-jdbc-base .. FAILURE Is it possible this branch is not compilable anymore? I tried the zip and also git clone of the branch and both failed. a simple clone did compile though . > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324163#comment-16324163
]
Nick Couchman commented on GUACAMOLE-96:
{quote}
as i'm not quite sure how to go about testing that other fork with the totp,
although I do have a 2nd test server now updated to 0.9.13 ...
{quote}
Basically just check out the git branch that Mike mentioned above (
https://github.com/mike-jumper/guacamole-client/tree/totp-auth-support ) and
build with Maven. Instructions are in the manual:
http://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-client
{quote}
Is there a timeline for what guac release version these additions will be
merged into?
{quote}
Nothing official, yet. The changes definitely will not be in 0.9.14, which
should be released very soon, as that scope is set, but I would imagine,
barring any major issues during testing, 0.9.15 is a reasonable target. We
don't have a release date defined for 0.9.15, yet.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324151#comment-16324151 ] Daniel Moscovitch commented on GUACAMOLE-96: as i'm not quite sure how to go about testing that other fork with the totp, although I do have a 2nd test server now updated to 0.9.13 ... Is there a timeline for what guac release version these additions will be merged into? > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16307549#comment-16307549 ] David Bonnes commented on GUACAMOLE-96: --- This is fantastic, thanks! It worked for me, on the first attempt, using MySQL and Authenticator Plus (https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en_GB). If anyone is interested, my setup consists of four Ubuntu-based LXC containers (nginx, tomcat/guac-client, guac-daemon, and mysql); all I did was replace the old tomcat LXC with a new one, and added a separate Guacamole DB on the MySQL server. Let me know if I can help with any testsing. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16290753#comment-16290753 ] Jerry Träskelin commented on GUACAMOLE-96: -- I've now tested the TOTP authentication with LDAP (AD) and it seems to work. I did notice one thing, though: LDAP accounts will only appear in the MySQL database once they've been edited in the Guacamole GUI. So the user can log in without their account being in the MySQL database, and in that case they will bypass TOTP authentication altogether. This is not a huge problem though, as the user will not be able to do anything as no connections or anything else has been assigned to them. > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16285211#comment-16285211
]
Jerry Träskelin commented on GUACAMOLE-96:
--
{quote}I have not explicitly tested this, but it should, yes. The TOTP
implementation works by augmenting the storage/authorization side of things and
is independent of the extension providing primary authentication.{quote}
Good to know, I'll try to find some time to test this next week.
{quote}As with configuring whether TOTP is required for a particular user,
there is no technical reason preventing adding an interface for handling the
above. I'm avoiding implementing that for now purely in the interest of reduced
scope.{quote}
Totally understandable, manually altering database attributes is enough for me
at this time anyways.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16285041#comment-16285041
]
Michael Jumper commented on GUACAMOLE-96:
-
{quote}
Does it also work with LDAP when using LDAP together with MySQL (saving
connection permissions to MySQL)?
{quote}
I have not explicitly tested this, but it should, yes. The TOTP implementation
works by augmenting the storage/authorization side of things and is independent
of the extension providing primary authentication.
{quote}
Suppose an user loses their phone. How can I reset their 2FA?
{quote}
You would need to manually delete the {{guac-totp-key-secret}} and
{{guac-totp-key-confirmed}} attributes for that user from the
{{guacamole_user_attribute}} table within the database. A new, random key will
automatically be generated when they next authenticate successfully, and they
will be prompted to complete enrollment as normal.
As with configuring whether TOTP is required for a particular user, there is no
technical reason preventing adding an interface for handling the above. I'm
avoiding implementing that for now purely in the interest of reduced scope.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16284242#comment-16284242 ] Jerry Träskelin commented on GUACAMOLE-96: -- [~mike.jumper] I tested the TOTP authentication and it seems to work great with MySQL. Couple of questions though: - Does it also work with LDAP when using LDAP together with MySQL (saving connection permissions to MySQL)? - Suppose an user loses their phone. How can I reset their 2FA? Thanks! > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, > guacamole-auth-totp-01-enroll-02-details-shown.png, > guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16278992#comment-16278992
]
Michael Jumper commented on GUACAMOLE-96:
-
{quote}
I can't wait to test that out.
{quote}
If you want to give it a shot prior to merge, the branch containing the TOTP
support is "totp-auth-support" on my fork of the guacamole-client repository:
https://github.com/mike-jumper/guacamole-client/tree/totp-auth-support
{quote}
I guess it will be mandatory for all users and not just something we can enable
on a per user basis?
{quote}
For now, yes, and those users will need to have edit permission on themselves
(the "Change own password" checkbox), or the underlying database auth extension
will deny permission to perform the enrollment.
There's no technical reason why this can't be made configurable on a per-user
basis, except that scope of things needs to be kept minimal. Once TOTP support
is ready, providing an option to configure that support on a per-user basis
would be a good feature request.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275026#comment-16275026
]
Daniel Moscovitch commented on GUACAMOLE-96:
Awesome. This will definitely be a major addition to the system which I am sure
will attract much attention to the project.
I can't wait to test that out. Hope it's in the next release.
by
{code:java}
When the TOTP extension (and database auth) are installed, users are required
to enrol an authentication device upon successful login:
{code}
I guess it will be mandatory for all users and not just something we can enable
on a per user basis?
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png,
> guacamole-auth-totp-01-enroll-02-details-shown.png,
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16265510#comment-16265510
]
Nick Couchman commented on GUACAMOLE-96:
{quote}
I'm also going to look into providing a UI element to expose the key details in
a way they can be manually copied, rather than relying purely on QR codes (not
all auth devices will have a camera / barcode scanner).
{quote}
Yeah, this would be good - might also be able to allow people to enter/import
seeds for 2FA, so that people could enter their own, especially if they want to
use hardware devices. LinOTP has similar functionality, which vastly improves
the flexibility of 2FA devices and apps you can use with it.
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll.png,
> guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16265509#comment-16265509 ] Nick Couchman commented on GUACAMOLE-96: Awesome, can't wait. This is a pretty big win for functionality and security! > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll.png, > guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[
https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16265479#comment-16265479
]
Michael Jumper commented on GUACAMOLE-96:
-
Yep. Now that INFRA-15505 is moving forward, I'll wait until after the rename,
but yep. Very soon.
Considering the size of these changes, I'll split things into:
# The {{decorate()}} API changes
# Support for sanitization/storage of arbitrary attributes (independent of
{{decorate()}})
# The TOTP extension (depends on both of the above)
At the moment, I've only written the SQL for the arbitrary attribute storage
for PostgreSQL, so I'll have to make the same changes to the MySQL and SQL
Server schemas before that's ready. I'm also going to look into providing a UI
element to expose the key details in a way they can be manually copied, rather
than relying purely on QR codes (not all auth devices will have a camera /
barcode scanner).
> Two factor authentication with Google Authenticator
> ---
>
> Key: GUACAMOLE-96
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
>Reporter: L.J. van Ruiten
>Assignee: Michael Jumper
>Priority: Trivial
> Attachments: guacamole-auth-totp-01-enroll.png,
> guacamole-auth-totp-02-verify.png
>
>
> We have a few critical systems that are accessible through Guacamole and we
> have had some clients requesting a safer way to login. Two factor
> authentication is probably the best and easiest way to improve on the current
> username/password login, and I can imagine that this is something that other
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is
> simple to use, does not require any configuration (like you would with SMS
> codes) easy to implement and the "client" side of the authentication (the
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon
> creation. Also added a boolean field to indicate wether TFA is required for
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the
> a second screen asking for a TFA code after loggin in with the username and
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing
> page, so it can only be enabled by administrators and that's also where I put
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the
> guacamole-ext api. Even with the new API that enables you to insert HTML
> parts, you would also need an API endpoint to provide the secret key or
> ideally generate a QR code that Google Auhtenticator can read to bind a
> device to the account (I would like it to appear in the user's preference
> page).
> So in summary if other people are interested I would be willing to contribute
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
[ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16264419#comment-16264419 ] Nick Couchman commented on GUACAMOLE-96: Awesome! Pull request, soon?! :-) > Two factor authentication with Google Authenticator > --- > > Key: GUACAMOLE-96 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-96 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: L.J. van Ruiten >Assignee: Michael Jumper >Priority: Trivial > Attachments: guacamole-auth-totp-01-enroll.png, > guacamole-auth-totp-02-verify.png > > > We have a few critical systems that are accessible through Guacamole and we > have had some clients requesting a safer way to login. Two factor > authentication is probably the best and easiest way to improve on the current > username/password login, and I can imagine that this is something that other > companies using Guacamole would also be interesting in this feature. > I already did some tinkering myself and I found that Google Auhtenticator is > simple to use, does not require any configuration (like you would with SMS > codes) easy to implement and the "client" side of the authentication (the > part that generates the codes) is easily integrated into existing apps. > So far I have got Google Authenticator "kinda working". What I did is: > - Started with guacamole-auth-jdbc as base > - Added a secret key to a user account that is randomly generated upon > creation. Also added a boolean field to indicate wether TFA is required for > loggin in. > - Used the GuacamoleInsufficientCredentialsException to redirect the user the > a second screen asking for a TFA code after loggin in with the username and > password. > However as said before this only "kinda works" because: > I have only gotten the TFA enable button to appear in the user's managing > page, so it can only be enabled by administrators and that's also where I put > the secret key shows up, so users can't find it themself. > For as far as I could find the previous point cannot be done with just the > guacamole-ext api. Even with the new API that enables you to insert HTML > parts, you would also need an API endpoint to provide the secret key or > ideally generate a QR code that Google Auhtenticator can read to bind a > device to the account (I would like it to appear in the user's preference > page). > So in summary if other people are interested I would be willing to contribute > this, but I would need some directions and I have a few questions: > - Am I right that it is currently not possible to add an API endpoint just > using guacamole-ext to provide the QR codes? > - What would be the way to implement this? Personally I thought that adding > these options to the user's page would be the easiest. > - Is this a feature you would like me to work on and contribute? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
