"without Complications" hmmm not that I am aware of :) BUT THE qr code is not the only option. there is a Details section that you can expand and just save those #s. They will work in ANY TOTP software. and if the phone/device dies you can just retype them. but you are bypassing 1 aspect of security here by keeping the code....
I had a previous post about resetting TOTP (without deleting the user) you can try some of these scripts ( but I am assuming you use mysql database in this case), and you know how to GET into the database via a command of >mysql -u root -p guacamole_db 2 things. 1 the TOTP only gets turned on , if the user has 'change password' permission. so if you make a new user, it will never activate. 2 you can reset the totp if you go through the trouble of removing the extra parameters it adds. See bellow if you feel comfortable playing with the database. bellow I am only resetting it to prompt for scan. not removing it totally though so the rescan I suspect will be the same code#s . To perhaps get rid of all totp you'd need to set the user as NOT able to change their password and then just delete the two fields for the attributes +---------+-------------------------+----------------------------------+ | user_id | attribute_name | attribute_value | +---------+-------------------------+----------------------------------+ | 2 | guac-totp-key-confirmed | true | | 2 | guac-totp-key-secret | 123123123123123123123123123123123123123| +---------+-------------------------+----------------------------------+ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) - Find out the user_id of the person in question. Since I guess I dont have 10000 users this seems ok. It's a report that shows the name and user id along with if they are disabled and if they have enrolled yet or never even tried (NULL). this is good to know if a bunch of users have not bothered yet, as untill they enroll the account is open to hack. (forgive the messy mysql) select t1.name, t2.user_id, t3.attribute_name, t3.attribute_value, t2.disabled from guacamole_entity t1, guacamole_user t2 left join guacamole_user_attribute t3 on t2.user_id=t3.user_id where t1.entity_id=t2.entity_id and ( t3.attribute_name="guac-totp-key-confirmed" or t3.attribute_name IS NULL ); 2) - Update the Confirmed parameter so it prompts again. Not sure if this is the best way. maybe it still means their 'codes' will be the same as before. It's probably best to also erase the secret key part but I dont do that here yet. update guacamole_user_attribute set attribute_value='false' where attribute_name='guac-totp-key-confirmed' and user_id=2 --and that should end up with 1 row only changed! "" Query OK, 1 row affected (0.03 sec) Rows matched: 1 Changed: 1 Warnings: 0 "" and I guess you could do this before and after to see the changes... select * from guacamole_user_attribute where user_id=2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> /danielm From: "Giorgio" <[email protected]> To: [email protected] Date: 04/03/20 11:45 AM Subject: TOTP in Apache Guacamole Hello, I wonder if there is a way to enable/disable TOTP on per user basis without complications. My experience is bit complex : Should TOTP is enabled all admins on the system should go through the Authentication (could be logical, however the risk is high should the QR code is lost) I know that by disabling the TOTP extension we can regain access however still complex to delete and re-create admins again.. As for the users, why should I have to delete the user (that lost his authenticator) and recreate again? Nextcloud for instance allows to re-authenticate a user should he changes his phone or re-install his google authenticator. Maybe someone can shed more light on this for me please ? I still have one issue I am facing with the drive mapping, is there a way to change the name to give it more meaning ? What is bit strange , the directory name on the linux machine is correct however on the RDP is showing guacamole. How come ? Best regards Giorgio
