Nick Couchman commented on GUACAMOLE-96:

I realize I am an outsider and really late to this, but, I was wondering if 
there was any way to make this not reliant on SQL authentication.  I'm using 
another auth plugin for PAM along side it.

In theory, this module does not depend on the JDBC module directly.  It depends 
on *some* module being able to store arbitrary attributes and provide them for 
the TOTP module, as required.  In practice, this is only implemented in the 
JDBC module today, but that doesn't mean that it has to be stored there - you'd 
just have to implement some other method for storing them.  The JDBC module 
simply provides the mechanism for storing the information required to link a 
token to a user.

Also, I believe that this module should layer with other modules, such that 
users can be authenticated through one mechanism (e.g. LDAP) and then secondary 
authentication takes place through the TOTP module.  I haven't actually tried 
it myself, but I believe that's the idea behind this module - not to totally 
replace other authentication mechanisms, but to augment them.

> Two factor authentication with Google Authenticator
> ---------------------------------------------------
>                 Key: GUACAMOLE-96
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-client
>            Reporter: L.J. van Ruiten
>            Assignee: Michael Jumper
>            Priority: Major
>         Attachments: guacamole-auth-totp-01-enroll-01-details-hidden.png, 
> guacamole-auth-totp-01-enroll-02-details-shown.png, 
> guacamole-auth-totp-01-enroll.png, guacamole-auth-totp-02-verify.png
> We have a few critical systems that are accessible through Guacamole and we 
> have had some clients requesting a safer way to login. Two factor 
> authentication is probably the best and easiest way to improve on the current 
> username/password login, and I can imagine that this is something that other 
> companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is 
> simple to use, does not require any configuration (like you would with SMS 
> codes) easy to implement and the "client" side of the authentication (the 
> part that generates the codes) is easily integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon 
> creation. Also added a boolean field to indicate wether TFA is required for 
> loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the 
> a second screen asking for a TFA code after loggin in with the username and 
> password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing 
> page, so it can only be enabled by administrators and that's also where I put 
> the secret key shows up, so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the 
> guacamole-ext api. Even with the new API that enables you to insert HTML 
> parts, you would also need an API endpoint to provide the secret key or 
> ideally generate a QR code that Google Auhtenticator can read to bind a 
> device to the account (I would like it to appear in the user's preference 
> page). 
> So in summary if other people are interested I would be willing to contribute 
> this, but I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just 
> using guacamole-ext to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding 
> these options to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?

This message was sent by Atlassian JIRA

Reply via email to