Nick :
This is two different standalone servers. Its not Guacamole problem.
Its Google Authenticator problem.
First server, QR Code its saved in Google authenticator with name “Apache
Guacamole (guacadmin)” . Default totp-issuer and user.
Second server, QR Code its saved in Google authenticator with the same name,
overwriting the first one.
For this, i have lost the Google autenthicator code for the first server. It’s
not Guacamole fault, but if guacamole add a ramdom number to QR link, this
never happen.
The first server QR will be saved “Apache Guacamole (guacadmin) <random
number>” and the second ““Apache Guacamole (guacadmin) <different random>”.
The problem it’s both server have same name, and Google Authenticator overwrite
one with another.
It’s a minor problem. I change the top-issuer in guacamole.properties and reset
my user in guacamole database and solved. But a normal user without access to
mysql can’t fix it.
De: Nick Couchman [mailto:vn...@apache.org]
Enviado el: viernes, 08 de mayo de 2020 11:39 a.m.
Para: user@guacamole.apache.org
Asunto: Re: TOTP minimun change?
On Fri, May 8, 2020 at 10:04 AM Neumen - Juan Prigoshin
<jprigos...@autoneumen.com> wrote:
I have 1 Guacamole up working without problems. I use TOTP for 2FA with
Google Authenticator.
I dont change nothing in guacamole.properties for TOTP.
Default values are used. The TOTP Works great.
Yesterday, for testing, I have installed a VM Virtualbox, with another
Guacamole.
Same config.
On first login, scan the QR with Google Authenticator. This use the same
name
"Apache Guacamole(guacadmin)", replacing the first one!
I now lost Access for mi first Guacamole.
Hmmmm...it sounds like the two guacamole instances are pointed at the same
database, and maybe you cleared out the TOTP configuration in the DB for the
guacadmin user, or overwrote part of the DB configuration? There's something
odd going on there, anyway, because you should be able to do one of two things:
- Point the Guacamole install at the same database, and log in with the same
guacadmin credentials and TOTP configuration.
- Point the Guacamole install at a completely separate database and reconfigure
from scratch.
I know it's not a Guacamole problem per se, but would be nice adding a
serial?/instance?/aleatory? Number to Issuer Name in TOTP.
With this, never two Guacamole are going to have then same Issuer Name.
If you're pointing at a different DB, this should never be an issue. If you're
pointing at the same DB without removing the old TOTP configuration this also
should not be an issue. That said, I could see a potential feature where there
is support for multiple tokens per user - this is not necessarily an uncommon
request, so it is something we could consider. But I don't think it's required
for you to resolve the issue you're seeing.
-Nick
