about TOTP auth only work with default settings

[Bruce Cheng <it...@gmail.com>]

Hi,

I current use Apache Guacamole version 1.3.0 with Mysql+LDAP( Active
Directory)+Totp successfully, I config TOTP with the following settings in
/etc/guacamole/guacamole.properties

# TOTP properties
totp-issuer: MYCLOUD
#totp-digits: 8
totp-digits: 6
totp-period: 30
totp-mode: sha256

When I change the value of totp-digits from 6 to 8 and restart tomcat, I
scan the first QRcode via my mobile, My authenticator app only showed 6
digits but not 8 digits. I also saw the web page show "enter the 8-digit
authentication code ....". Of course, it was shown as a failure.

When I remarked those settings (except " totp-issuer "), I could sign on it.

May I know if this is the bug or what kind of settings I should use?

Please advise me and thank you for your help.

-- 
Best Regards,
Bruce

Re: about TOTP auth only work with default settings

[Bruce Cheng <it...@gmail.com>]

Dear Mike,

Thank you for your soon reply. To be honest, I am not sure if my
authenticator app( I use Microsoft Authenticator) supports these settings,
but I have another account(not for Guacamole) in my app that shows 8
digits. Would you please advise me which Authenticator Apps will support
these settings?

Apache Guacamole is the best one for me to use, thank you for all of your
efforts and nice help. The latest version 1.4.0 seems to be much better and
fixed some little problems I have met before.

Best Wishes,
Bruce

Mike Jumper <mj...@apache.org> 於 2022年1月3日 週一 下午2:17寫道：

> On Sun, Jan 2, 2022, 21:55 Bruce Cheng <it...@gmail.com> wrote:
>
>> Hi,
>>
>> I current use Apache Guacamole version 1.3.0 with Mysql+LDAP( Active
>> Directory)+Totp successfully, I config TOTP with the following settings in
>> /etc/guacamole/guacamole.properties
>>
>> # TOTP properties
>> totp-issuer: MYCLOUD
>> #totp-digits: 8
>> totp-digits: 6
>> totp-period: 30
>> totp-mode: sha256
>>
>> When I change the value of totp-digits from 6 to 8 and restart tomcat, I
>> scan the first QRcode via my mobile, My authenticator app only showed 6
>> digits but not 8 digits. I also saw the web page show "enter the 8-digit
>> authentication code ....". Of course, it was shown as a failure.
>>
>> When I remarked those settings (except " totp-issuer "), I could sign on
>> it.
>>
>> May I know if this is the bug or what kind of settings I should use?
>>
>
> It's not a bug - not all authenticator apps support these settings, and
> some will silently ignore them.
>
> Unless you have confirmed that your authenticator app supports these
> settings, the correct settings to use on the Guacamole side are the
> defaults.
>
> - Mike
>
>

Re: about TOTP auth only work with default settings

[Mike Jumper <mj...@apache.org>]

On Sun, Jan 2, 2022, 21:55 Bruce Cheng <it...@gmail.com> wrote:

> Hi,
>
> I current use Apache Guacamole version 1.3.0 with Mysql+LDAP( Active
> Directory)+Totp successfully, I config TOTP with the following settings in
> /etc/guacamole/guacamole.properties
>
> # TOTP properties
> totp-issuer: MYCLOUD
> #totp-digits: 8
> totp-digits: 6
> totp-period: 30
> totp-mode: sha256
>
> When I change the value of totp-digits from 6 to 8 and restart tomcat, I
> scan the first QRcode via my mobile, My authenticator app only showed 6
> digits but not 8 digits. I also saw the web page show "enter the 8-digit
> authentication code ....". Of course, it was shown as a failure.
>
> When I remarked those settings (except " totp-issuer "), I could sign on
> it.
>
> May I know if this is the bug or what kind of settings I should use?
>

It's not a bug - not all authenticator apps support these settings, and
some will silently ignore them.

Unless you have confirmed that your authenticator app supports these
settings, the correct settings to use on the Guacamole side are the
defaults.

- Mike