{"id":12151,"date":"2022-04-09T20:50:59","date_gmt":"2022-04-09T17:50:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12151"},"modified":"2024-03-09T11:55:31","modified_gmt":"2024-03-09T08:55:31","slug":"configure-totp-two-factor-authentication-on-apache-guacamole","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-totp-two-factor-authentication-on-apache-guacamole\/","title":{"rendered":"Configure TOTP Two-Factor Authentication on Apache Guacamole"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to configure TOTP two-factor authentication on Apache Guacamole. Time-based One-time Password, TOTP, is a kind of multi-factor authentication which adds an extra layer of authentication on top of the usual username\/password based authentications. This improves the security of your accounts.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configure-apache-guacamole-totp-two-factor-authentication\">Configure Apache Guacamole TOTP Two-Factor Authentication<\/a><ul><li><a href=\"#install-guacamole-totp-authentication-extension\">Install Guacamole TOTP authentication extension<\/a><\/li><li><a href=\"#configure-apache-guacamole-totp-two-factor-authentication-1\">Configure Apache Guacamole TOTP Two-Factor Authentication<\/a><\/li><li><a href=\"#verifying-totp-two-factor-authentication-on-apache-guacamole\">Verifying TOTP Two-Factor Authentication on Apache Guacamole<\/a><\/li><li><a href=\"#guacamole-totp-authentication-enrollment\">Guacamole TOTP Authentication Enrollment<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-apache-guacamole-totp-two-factor-authentication\">Configure Apache Guacamole TOTP Two-Factor Authentication<\/h2>\n\n\n\n<p>Apache Guacamole supports the use of TOTP as a second authentication factor.<\/p>\n\n\n\n<p>You can check out various <a href=\"https:\/\/kifarunix.com\/?s=guacamole\" target=\"_blank\" rel=\"noreferrer noopener\">installation guides on our page<\/a>.<\/p>\n\n\n\n<p>In order to be able to use Guacamole TOTP  authentication;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable Database Based Authentication on Guacamole (We used MySQL\/MariaDB in our setup).<\/li>\n\n\n\n<li>Grant all the Users that Requires the use of TOTP Authentication ability to change their own passwords<\/li>\n<\/ul>\n\n\n\n<p>You can check our previous guide on how to <a href=\"https:\/\/kifarunix.com\/configure-guacamole-mysql-database-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">configure Guacamole MySQL Database Authentication<\/a><\/p>\n\n\n\n<p>From the User management interface;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1909\" height=\"575\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-users-settings.png\" alt=\"Configure TOTP Two-Factor Authentication on Apache Guacamole\" class=\"wp-image-12192\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-users-settings.png?v=1649525913 1909w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-users-settings-768x231.png?v=1649525913 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-users-settings-1536x463.png?v=1649525913 1536w\" sizes=\"(max-width: 1909px) 100vw, 1909px\" \/><\/figure>\n\n\n\n<p>Click the user and update the permissions, to at least be able to <strong>change their own password<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1900\" height=\"718\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-user-permissions.png\" alt=\"Configure TOTP Two-Factor Authentication on Apache Guacamole\" class=\"wp-image-12193\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-user-permissions.png?v=1649525943 1900w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-user-permissions-768x290.png?v=1649525943 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-user-permissions-1536x580.png?v=1649525943 1536w\" sizes=\"(max-width: 1900px) 100vw, 1900px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-guacamole-totp-authentication-extension\">Install Guacamole TOTP authentication extension<\/h3>\n\n\n\n<p>Guacamole doesn&#8217;t install with TOTP authentication extension by default. Therefore, you need to download and install the extension.<\/p>\n\n\n\n<p>From the releases page, download TOTP authentication that matches the version of your installed Guacamole server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/dlcdn.apache.org\/guacamole\/1.4.0\/binary\/guacamole-auth-totp-1.4.0.tar.gz<\/code><\/pre>\n\n\n\n<p>Extract the extension and move it to <code>GUACAMOLE_HOME\/extensions<\/code>, which in our setup is <code>\/etc\/guacamole\/extensions\/<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tar -zxf guacamole-auth-totp-1.4.0.tar.gz guacamole-auth-totp-1.4.0\/guacamole-auth-totp-1.4.0.jar<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>mv guacamole-auth-totp-1.4.0\/guacamole-auth-totp-1.4.0.jar \/etc\/guacamole\/extensions\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-apache-guacamole-totp-two-factor-authentication-1\">Configure Apache Guacamole TOTP Two-Factor Authentication<\/h3>\n\n\n\n<p>TOTP works out-of-the-box by default. Some of the configs used with TOTP include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>totp-issuer<\/code>: defines the human-readable name of the entity issuing user accounts. If not specified, \u201cApache Guacamole\u201d will be used by default.<\/li>\n\n\n\n<li><code>totp-digits<\/code>: The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8. By default, 6-digit codes are generated.<\/li>\n\n\n\n<li><code>totp-period<\/code>: The duration that each generated code should remain valid, in seconds. By default, each code remains valid for 30 seconds.<\/li>\n\n\n\n<li><code>totp-mode<\/code>: The hash algorithm that should be used to generate TOTP codes. Legal values are \u201csha1\u201d, \u201csha256\u201d, and \u201csha512\u201d. By default, \u201csha1\u201d is used.<\/li>\n<\/ul>\n\n\n\n<p>If you want, you can update the values in the guacamole.properties configuration file. We go with the defaults in this setup.<\/p>\n\n\n\n<p><strong>Before you update the settings, ensure that the MFA app you are using supports the options for the above configs;<\/strong><\/p>\n\n\n\n<p>If you happen to change any setting and you get the verification failed upon entering the code, review the setting and ensure that the authentication app supports the setting.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verifying-totp-two-factor-authentication-on-apache-guacamole\">Verifying TOTP Two-Factor Authentication on Apache Guacamole<\/h3>\n\n\n\n<p>Restart your Serverlet;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart tomcat9<\/code><\/pre>\n\n\n\n<p>Login to Guacamole web interface as any user;<\/p>\n\n\n\n<p>Upon successful login, you will be welcomed by such an interface.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1203\" height=\"916\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication.png\" alt=\"\" class=\"wp-image-12194\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication.png?v=1649525971 1203w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication-768x585.png?v=1649525971 768w\" sizes=\"(max-width: 1203px) 100vw, 1203px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"guacamole-totp-authentication-enrollment\">Guacamole TOTP Authentication Enrollment<\/h3>\n\n\n\n<p>To complete the enrollment process, scan the barcode with the two-factor authentication app on your phone or device.<\/p>\n\n\n\n<p>I am using Duo Mobile, for example;<\/p>\n\n\n\n<p>Once you have scanned the barcode, enter the 6 digit authentication code click <strong>Continue<\/strong> to login to Guacamole dashboard.<\/p>\n\n\n\n<p>On re-login, you are always prompted to enter the code;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1009\" height=\"509\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication_login.png\" alt=\"Configure TOTP Two-Factor Authentication on Apache Guacamole\" class=\"wp-image-12195\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication_login.png?v=1649526040 1009w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/guacamole-totp-authentication_login-768x387.png?v=1649526040 768w\" sizes=\"(max-width: 1009px) 100vw, 1009px\" \/><\/figure>\n\n\n\n<p>As Admin, you can reset the user&#8217;s TOTP secret as well as confirm or disable TOTP login. Such user settings;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/configure-guacamole-user-totp.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1567\" height=\"511\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/configure-guacamole-user-totp.png\" alt=\"\" class=\"wp-image-12196\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/configure-guacamole-user-totp.png?v=1649526329 1567w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/configure-guacamole-user-totp-768x250.png?v=1649526329 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/configure-guacamole-user-totp-1536x501.png?v=1649526329 1536w\" sizes=\"(max-width: 1567px) 100vw, 1567px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>And there you go. You have learnt how to configure Apache Guacamole TOTP 2FA authentication.<\/p>\n\n\n\n<p>Read more on the <a href=\"https:\/\/guacamole.apache.org\/doc\/gug\/totp-auth.html#\" target=\"_blank\" rel=\"noreferrer noopener\">documentation page<\/a>.<\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/guacamole-how-to-fix-rdp-server-closed-refused-connection-security-negotiation-failed-wrong-security-type\/\" target=\"_blank\" rel=\"noreferrer noopener\">Guacamole: How to fix RDP server closed\/refused connection: Security negotiation failed (wrong security type?)<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-apache-guacamole-openldap-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup Apache Guacamole OpenLDAP Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to configure TOTP two-factor authentication on Apache Guacamole. Time-based One-time Password, TOTP, is a kind of multi-factor authentication<\/p>\n","protected":false},"author":3,"featured_media":12174,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,917,214],"tags":[4845,4847,4848,4846,4844,4849],"class_list":["post-12151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-guacamole","category-remote-desktop","tag-configure-totp-two-factor-authentication-on-apache-guacamole","tag-guacamole-2fa","tag-guacamole-mfa","tag-guacamole-totp","tag-totp-authentication-extension","tag-totp-extension-guacamole","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12151"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12151"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12151\/revisions"}],"predecessor-version":[{"id":20469,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12151\/revisions\/20469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12174"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}