doc/gug/totp-auth.html (296 lines of code) (raw):
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>TOTP two-factor authentication — Apache Guacamole Manual v1.5.5</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/tabs.css" type="text/css" />
<link rel="stylesheet" href="_static/gug.css" type="text/css" />
<!--[if lt IE 9]>
<script src="_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="_static/jquery.js?v=5d32c60e"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="_static/documentation_options.js?v=5929fcd5"></script>
<script src="_static/doctools.js?v=888ff710"></script>
<script src="_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="_static/tabs.js?v=3ee01567"></script>
<script src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="HTTP header authentication" href="header-auth.html" />
<link rel="prev" title="Duo two-factor authentication" href="duo-auth.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
Apache Guacamole
</a>
<div class="version">
1.5.5
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Overview</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="introduction.html">Introduction</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">User's Guide</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="guacamole-architecture.html">Implementation and architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="installing-guacamole.html">Installing Guacamole natively</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-docker.html">Installing Guacamole with Docker</a></li>
<li class="toctree-l1"><a class="reference internal" href="reverse-proxy.html">Proxying Guacamole</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuring-guacamole.html">Configuring Guacamole</a></li>
<li class="toctree-l1"><a class="reference internal" href="jdbc-auth.html">Database authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="ldap-auth.html">LDAP authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="vault.html">Retrieving secrets from a vault</a></li>
<li class="toctree-l1"><a class="reference internal" href="duo-auth.html">Duo two-factor authentication</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">TOTP two-factor authentication</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#prerequisites">Prerequisites</a></li>
<li class="toctree-l2"><a class="reference internal" href="#how-totp-works-with-guacamole">How TOTP works with Guacamole</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#enrollment">Enrollment</a></li>
<li class="toctree-l3"><a class="reference internal" href="#reseting-totp-data">Reseting TOTP Data</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#downloading-the-totp-extension">Downloading the TOTP extension</a></li>
<li class="toctree-l2"><a class="reference internal" href="#installing-totp-authentication">Installing TOTP authentication</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#configuring-guacamole-for-totp">Configuring Guacamole for TOTP</a></li>
<li class="toctree-l3"><a class="reference internal" href="#completing-the-installation">Completing the installation</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="header-auth.html">HTTP header authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="json-auth.html">Encrypted JSON authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="cas-auth.html">CAS Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="openid-auth.html">OpenID Connect Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="saml-auth.html">SAML Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="radius-auth.html">RADIUS Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="adhoc-connections.html">Ad-hoc Connections</a></li>
<li class="toctree-l1"><a class="reference internal" href="using-guacamole.html">Using Guacamole</a></li>
<li class="toctree-l1"><a class="reference internal" href="recording-playback.html">Viewing session recordings in-browser</a></li>
<li class="toctree-l1"><a class="reference internal" href="administration.html">Administration</a></li>
<li class="toctree-l1"><a class="reference internal" href="troubleshooting.html">Troubleshooting</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Developer's Guide</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="guacamole-protocol.html">The Guacamole protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="libguac.html">libguac</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-common.html">guacamole-common</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-common-js.html">guacamole-common-js</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-ext.html">guacamole-ext</a></li>
<li class="toctree-l1"><a class="reference internal" href="custom-protocols.html">Adding new protocols</a></li>
<li class="toctree-l1"><a class="reference internal" href="custom-auth.html">Custom authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="event-listeners.html">Event listeners</a></li>
<li class="toctree-l1"><a class="reference internal" href="writing-you-own-guacamole-app.html">Writing your own Guacamole application</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Appendices</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="protocol-reference.html">Guacamole protocol reference</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Apache Guacamole</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">TOTP two-factor authentication</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/totp-auth.md.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="totp-two-factor-authentication">
<h1>TOTP two-factor authentication<a class="headerlink" href="#totp-two-factor-authentication" title="Link to this heading"></a></h1>
<p>Guacamole supports TOTP as a second authentication factor, layered on top of
any other authentication extension, including those available from the main
project website, providing <a class="reference internal" href="#totp-prerequisites"><span class="std std-ref">base requirements for key storage and
enrollment</span></a> are met. The TOTP authentication extension
allows users to be additionally verified against a user-specific and secret key
generated during <a class="reference internal" href="#totp-enrollment"><span class="std std-ref">enrollment of their authentication device</span></a>.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>This chapter involves modifying the contents of <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> - the
Guacamole configuration directory. If you are unsure where <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> is
located on your system, please consult <a class="reference internal" href="configuring-guacamole.html"><span class="doc std std-doc">Configuring Guacamole</span></a> before
proceeding.</p>
</div>
<section id="prerequisites">
<span id="totp-prerequisites"></span><h2>Prerequisites<a class="headerlink" href="#prerequisites" title="Link to this heading"></a></h2>
<p>The enrollment process used by Guacamole’s TOTP support needs to be able
to store an automatically-generated key within the user’s account.
Another extension must be installed which supports storage of arbitrary
data from other extensions. <em>Currently the only extensions provided with
Guacamole which support this kind of storage are the <a class="reference internal" href="jdbc-auth.html"><span class="doc std std-doc">database
authentication extensions</span></a>.</em></p>
<p>It is thus recommended that authentication against a database be fully
configured prior to setting up TOTP. Instructions walking through the setup of
database authentication for Guacamole are provided in <a class="reference internal" href="jdbc-auth.html"><span class="doc std std-doc">Database authentication</span></a>.</p>
</section>
<section id="how-totp-works-with-guacamole">
<span id="totp-architecture"></span><h2>How TOTP works with Guacamole<a class="headerlink" href="#how-totp-works-with-guacamole" title="Link to this heading"></a></h2>
<p>Guacamole provides support for TOTP as a second authentication factor. To make
use of the TOTP authentication extension, some other authentication mechanism
will need be configured, as well. When a user attempts to log into Guacamole,
other installed authentication methods will be queried first:</p>
<p><img alt="" src="_images/totp-auth-factor-1.png" /></p>
<p>Only after authentication has succeeded with one of those methods will
Guacamole prompt the user to further verify their identity with an
authentication code:</p>
<p><img alt="" src="_images/totp-auth-factor-2.png" /></p>
<p>If both the initial authentication attempt and verification using TOTP succeed,
the user will be allowed in. If either mechanism fails, access to Guacamole is
denied.</p>
<section id="enrollment">
<span id="totp-enrollment"></span><h3>Enrollment<a class="headerlink" href="#enrollment" title="Link to this heading"></a></h3>
<p>If the user does not yet have a TOTP key associated with their account (they
have not yet completed enrollment), they will be required to enroll an
authentication device after passing the first authentication factor. A QR code
containing an automatically-generated key will be presented to the user to be
scanned by their authentication app or device:</p>
<p><img alt="" src="_images/totp-enroll.png" /></p>
<p>If the authentication device does not support scanning QR codes for enrollment,
the details within the QR code can be revealed by clicking the “Show” link next
to the “Details” header. These values can then be entered manually:</p>
<p><img alt="" src="_images/totp-enroll-detail.png" /></p>
<p>Enrollment is completed once the user enters a valid authentication code
generated by their device using the provided key.</p>
</section>
<section id="reseting-totp-data">
<span id="totp-reset-data"></span><h3>Reseting TOTP Data<a class="headerlink" href="#reseting-totp-data" title="Link to this heading"></a></h3>
<p>It may become necessary for certain users to clear their TOTP key and/or force
them to re-confirm enrollment, such as in situations where a user loses their
phone and needs to reconfigure TOTP. The user’s existing TOTP key can be cleared
by checking the “Clear TOTP secret” box in the user interface and then saving the
user configuration. The next time that the user logs in, they will be given a new
key (QR code) and forced to re-enroll.</p>
<p>If you simply want a user to be able to re-configure an existing key, without
resetting the secret, you can un-check the box marked “TOTP key confirmed” and
save the user configuration, and the user will be presented with the QR code
at next login and asked to confirm it.</p>
<p><img alt="" src="_images/totp-user-config.png" /></p>
</section>
</section>
<section id="downloading-the-totp-extension">
<span id="totp-downloading"></span><h2>Downloading the TOTP extension<a class="headerlink" href="#downloading-the-totp-extension" title="Link to this heading"></a></h2>
<p>The TOTP authentication extension is available separately from the main
<code class="docutils literal notranslate"><span class="pre">guacamole.war</span></code>. The link for this and all other officially-supported and
compatible extensions for a particular version of Guacamole are provided on the
release notes for that version. You can find the release notes for current
versions of Guacamole here: <a class="reference external" href="http://guacamole.apache.org/releases/">http://guacamole.apache.org/releases/</a>.</p>
<p>The TOTP authentication extension is packaged as a <code class="docutils literal notranslate"><span class="pre">.tar.gz</span></code> file containing
only the extension itself, <code class="docutils literal notranslate"><span class="pre">guacamole-auth-totp-1.5.5.jar</span></code>, which must
ultimately be placed in <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code>.</p>
</section>
<section id="installing-totp-authentication">
<span id="installing-totp-auth"></span><h2>Installing TOTP authentication<a class="headerlink" href="#installing-totp-authentication" title="Link to this heading"></a></h2>
<p>Guacamole extensions are self-contained <code class="docutils literal notranslate"><span class="pre">.jar</span></code> files which are located within
the <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code> directory. To install the TOTP authentication
extension, you must:</p>
<ol class="arabic simple">
<li><p>Create the <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code> directory, if it does not already
exist.</p></li>
<li><p>Copy <code class="docutils literal notranslate"><span class="pre">guacamole-auth-totp-1.5.5.jar</span></code> within <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code>.</p></li>
<li><p>Configure Guacamole to use TOTP authentication, as described below.</p></li>
</ol>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>You will need to restart Guacamole by restarting your servlet container in
order to complete the installation. Doing this will disconnect all active
users, so be sure that it is safe to do so prior to attempting installation. If
you do not configure the TOTP authentication properly, Guacamole will not start
up again until the configuration is fixed.</p>
</div>
<section id="configuring-guacamole-for-totp">
<span id="guac-totp-config"></span><h3>Configuring Guacamole for TOTP<a class="headerlink" href="#configuring-guacamole-for-totp" title="Link to this heading"></a></h3>
<p>With the exception of <a class="reference internal" href="#totp-prerequisites"><span class="std std-ref">the storage and permission requirements described
above</span></a>, the TOTP extension should work out-of-the-box
without any additional configuration. Defaults have been chosen for all
configuration parameters such that the TOTP extension will be compatible with
Google Authenticator and similar, popular TOTP implementations.</p>
<p>If your intended authentication application or device has different
requirements, or you wish to override the defaults, additional properties may
be specified within <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">totp-issuer</span></code></dt><dd><p>The human-readable name of the entity issuing user accounts. If not
specified, “Apache Guacamole” will be used by default.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">totp-digits</span></code></dt><dd><p>The number of digits which should be included in each generated TOTP code.
Legal values are 6, 7, or 8. By default, 6-digit codes are generated.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">totp-period</span></code></dt><dd><p>The duration that each generated code should remain valid, in seconds. By
default, each code remains valid for 30 seconds.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">totp-mode</span></code></dt><dd><p>The hash algorithm that should be used to generate TOTP codes. Legal values
are “sha1”, “sha256”, and “sha512”. By default, “sha1” is used.</p>
</dd>
</dl>
</section>
<section id="completing-the-installation">
<span id="completing-totp-install"></span><h3>Completing the installation<a class="headerlink" href="#completing-the-installation" title="Link to this heading"></a></h3>
<p>Guacamole will only reread <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> and load newly-installed
extensions during startup, so your servlet container will need to be restarted
before TOTP authentication will take effect. Restart your servlet container
and give the new authentication a try.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>You only need to restart your servlet container. <em>You do not need to restart
guacd</em>.</p>
<p>guacd is completely independent of the web application and does not deal with
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> or the authentication system in any way. Since you are
already restarting the servlet container, restarting guacd as well technically
won’t hurt anything, but doing so is completely pointless.</p>
</div>
<p>If Guacamole does not come back online after restarting your servlet container,
check the logs. Problems in the configuration of the TOTP extension may prevent
Guacamole from starting up, and any such errors will be recorded in the logs of
your servlet container.</p>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="duo-auth.html" class="btn btn-neutral float-left" title="Duo two-factor authentication" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="header-auth.html" class="btn btn-neutral float-right" title="HTTP header authentication" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>Copyright © 2024 <a href="http://www.apache.org/">The Apache Software Foundation</a>,
Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the Apache Guacamole project logo are
trademarks of The Apache Software Foundation.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>