You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by Laurens van Ruiten <l....@gmail.com> on 2016/08/17 12:09:40 UTC
Extending guacamole-auth-jdbc with two factor authentication
Hello all,
Not sure if this mailing list is the right place to ask this question, but
I have been working on extending guacamole-auth-jdbc with two factor
authentication (specifically TOTP codes wiht Google Authenticator) and I am
not sure how to proceed.
First I would like to say that I am really impressed by the guacamole-ext
API. It only took me a few hours to get a basic two factor authentication
working. I started with guacamole-auth-jdbc as base and added two
attributes ( tfa-required and tfa-secret-key ) to the user model and added
a form part to the modeleduser to configure this in the webinterface. I
also added the mappings for the database, the automatic creation of a
secret key for a user and the necessary logic in the
retreiveAuthenticatedUser function that validates an authentication request.
This basically works and you can now enable TFA for a user through the
webinterface, and if that is enabled, the guacamole webinterface will ask
for a TOTP code after logging in with password and username. The problem
however is that the
TOTP ( time-based one time password ) works with secret keys that both the
user and the server need to have. The client generates a TOTP code based on
the secret key and the current timestamp and the server can later validate
that with the same secret key and derive when the code was generated. A
code is valid if it was generated in the last 30 seconds.
The google authenticator app has the option to register a new "account" by
scanning a QR code that encodes an URL in the format of:
otpauth://totp/
Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example
At the moment I manually enter the secret that shows up in a text box in
the options menu, but I would really like to replace this with a QR code.
Is that possible with the extension API? So far I have only found ways to
add parts to forms etc...
Any advice on how to implement this would be really appreciated.
Kind regards,
Lars van Ruiten
P.S.
If this is something that could be interesting for the community I would be
happy to contribute the code.