GitHub user mike-jumper opened a pull request:
https://github.com/apache/incubator-guacamole-client/pull/94
GUACAMOLE-136: Add support for two-factor authentication using Duo.
This change adds a new extension, guacamole-auth-duo, which implements
two-factor authentication leveraging [Duo](https://duo.com/). They provide
[Java and JavaScript
libraries](https://github.com/duosecurity/duo_java/tree/56570d18a1f98642500e6c1158a3f41e448963ff)
(albeit with some error-handling and lack-of-comments quirks) under a [BSD
3-clause
license](https://github.com/duosecurity/duo_java/blob/56570d18a1f98642500e6c1158a3f41e448963ff/LICENSE).
Neither the Java nor the JavaScript libraries are present in Maven Central,
and Duo has stated that they have no intent to do so (see:
duosecurity/duo_java#1), thus they have been bundled in the source here. The
top-level `LICENSE` has been updated accordingly.
With this extension in place, the overall process is as follows:
1. User logs in via any other installed authentication method.
2. If log in is successful, user is prompted to authenticate with Duo.
3. If Duo verifies the user's identity successfully, the user is allowed
through. The previous authentication result is overridden otherwise.
The extension is configured with four new properties:
Name | Description
--------------------- | -----------
`duo-api-hostname` | The API hostname provided by Duo (generally of the
form: "api-XXXXXXXX.duosecurity.com").
`duo-integration-key` | The 20-character integration key ("ikey") provided
by Duo.
`duo-secret-key` | The 40-character secret key ("skey") provided by
Duo.
`duo-application-key` | An arbitrary application key ("akey", must be *at
least* 40 characters).
The "application key" is expected to be randomly generated by the
administrator when configuring the extension (see [Duo's documentation on the
subject](https://duo.com/docs/duoweb#1.-generate-an-akey)). All other values
are provided by Duo.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/incubator-guacamole-client
duo-auth
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-guacamole-client/pull/94.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #94
----
commit 3851a5bbd1e534e7881c884c0f56f28b37178acf
Author: Michael Jumper <[email protected]>
Date: 2016-12-02T05:33:28Z
GUACAMOLE-136: Use hidden submit button for submitting Duo response
(form.submit() inserts query parameters and causes browser navigation, despite
ngSubmit preventing default).
commit b4dea91eccac3718f0da1531d6d8fbf0452f7263
Author: Michael Jumper <[email protected]>
Date: 2016-12-02T05:36:26Z
GUACAMOLE-136: Implement basic support for verifying user identity using
Duo.
commit c19a67a6a883083ad72113554c0c8058f6ec2344
Author: Michael Jumper <[email protected]>
Date: 2016-12-02T08:49:21Z
GUACAMOLE-136: Render Duo field as modal dialog.
commit 616e4718b46a9da3c62117799387fc8da1d572c9
Author: Michael Jumper <[email protected]>
Date: 2016-12-03T00:02:47Z
GUACAMOLE-136: Minify JavaScript and CSS. Add templates to Angular's cache.
commit 1ab7216237b2a6ffdadb0fd3555d2e768270a885
Author: Michael Jumper <[email protected]>
Date: 2016-12-06T03:57:59Z
GUACAMOLE-136: Fix Carlito LICENSE path.
commit ec5d71d5facb6692f97b0fad94c9897b557d9ed2
Author: Michael Jumper <[email protected]>
Date: 2016-12-06T04:04:53Z
GUACAMOLE-136: Add licenses for libraries bundled with guacamole-auth-duo.
commit 32ec9934caacd757f6ec0f19b5aec7c80f86d473
Author: Michael Jumper <[email protected]>
Date: 2016-12-06T04:26:54Z
GUACAMOLE-136: Add Apache RAT plugin to build. Add missing license header
to pom.xml.
commit 23a7f1202b3ce40a4f7a7aa2b1e1a5dc761613ec
Author: Michael Jumper <[email protected]>
Date: 2016-12-06T04:31:03Z
GUACAMOLE-136: Bundle guacamole-auth-duo .jar into .tar.gz, along with
licenses.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
