On February 14, 2025 12:08:20 AM PST, "Skyrpan, Roman" <[email protected]> wrote: >Hello everyone, >I encountered an unexpected issue. >Apache Guacamole 1.5.5 is installed. >Authentication is done via LDAP, followed by two-factor authentication using >TOTP. >The problem occurs at the two-factor authentication stage when the QR code and >the associated secret key information are displayed. At the end of the secret >key, ==== is appended. >On Android devices, Google Authenticator and other apps work fineāboth when >scanning the QR code and when manually entering the key. However, on Apple >devices, the same Google Authenticator throws an error when scanning the QR >code, and when entering the key manually, it generates completely incorrect >codes for login. >The only modification made to the guacamole.properties file was adding >totp-mode sha256. >After discovering the issue, I tested all available encryption methods and >digit lengths, as well as regenerated the TOTP secret completely, but nothing >changed. >Has anyone encountered this issue before? > >Kind regards >Roman
Google Authenticator does not support any mode but the default (SHA-1). If you change totp-mode, you will not be able to use Google Authenticator. Historically, Google Authenticator has silently ignored the TOTP mode and just assumed SHA-1, resulting in incorrect codes if totp-mode was changed from the default. If you are seeing an error, it sounds like they may have improved that behavior, at least on Apple devices. Simply copying the key manually will omit the hash algorithm and result in incorrect codes. If your TOTP application supports modes beyond SHA-1, it will provide you with a method to input both the key *and* the hash algorithm. - Mike
