On 11/7/2023 3:25 AM, Antoine Besnier wrote:
Hi,

I have a feature request, but before opening a probably useless JIRA issue, I'd like to discuss this here.

Let's assume that TOTP is activated and an user wants to change his TOTP device, or wants to use different apps, for example one on their phone and one on their computer.

In Guacamole, once the TOTP secret has been confirmed, the only way to show it again is to go to the database and query it with something like SELECT * FROM guacamole_user_attribute WHERE attribute_name='guac-totp-key-secret' AND user_id = (SELECT entity_id FROM guacamole_entity WHERE name = 'username' AND type ='USER'); or SELECT guacamole_user.user_id, guacamole_user.entity_id, name, attribute_value FROM guacamole_entity,guacamole_user,guacamole_user_attribute WHERE guacamole_user_attribute.user_id = guacamole_user.user_id AND guacamole_user.entity_id = guacamole_entity.entity_id AND attribute_name = 'guac-totp-key-secret' and name like 'username'; which first, is not avaible to generic users, and two, requires you to know the database schema.

Or to ask an admin to reset the TOTP confirmation, and make sure you have all your devices ready when re-enrolling.

Would it be practical to have the option to show the secret key somewhere, probably in the Settings > Preference tab, only for the currently logged in user of course?

I am an amateur user, and use Guacamole on a home network. What would be the larger implications if the secret key could be displayed?

In my opinion, because username/password is something-you-know, and TOTP is something-you-have, and because you need both to log in, I don't believe begin able to see the secret key when you are already logged in is big security issue.


That's certainly true for the process of authenticating, but once that process has completed I don't believe the same logic applies.

Consider the process of changing your password within Guacamole. Like most other applications that provide username/password auth, we require that the user re-prove that they know their current password before allowing them to change it (even though they have previously proven your identity by authenticating). Doing otherwise would open up the possibility of another user coming across an active session on an unlocked computer and stealing access to that account.

By that same logic, a user should not be able to retrieve their own TOTP secret, as doing so would make it easier for a malicious user to opportunistically steal an authorized user's TOTP secret.

If a user doesn't know their current password and still must change it, the path forward is to reach out to an admin (or temporarily switch to an admin account), as a user with system administration permissions in Guacamole can reset other users' passwords as needed.

The same is true for TOTP: if you need your secret, or you need to generate an entirely new secret, there are fields in the UI that allow the administrator to either force you to re-enroll your device (without generating a new secret) or to completely clear and regenerate the secret.

- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to