You can add totp-auth to your Guacamole login process. You can use any TOTP App like „Google Authenticator“ or „OTP Auth“ to add a two-factor authentication to Guacamole.
First download and install the totp-auth plugin:
cd /usr/src/ wget http://apache.mirror.digionline.de/guacamole/1.0.0/binary/guacamole-auth-totp-1.0.0.tar.gz tar xvzf guacamole-auth-totp-1.0.0.tar.gz cp /usr/src/guacamole-auth-totp-1.0.0/guacamole-auth-totp-1.0.0.jar /etc/guacamole/extensions/
Now configurate ‚/etc/guacamole/guacamole.properties‘ with your favorite editor and add the following line:
totp-issuer: My Guacamule TOTP
Change the value to your prefered name.
Now restart tomcat and test it:
systemctl restart tomcat9
After login (with an admin user!) you should see this:
Now scan the QR-Code with your mobile phone.
This only works currently for admin users. Because each user needs the privilege to change his own password. You can change this setting for users in the preferences of the user.
Users without this setting still can login but without the two-factor authentication.
Reset the two-factor
If the user lost his phone you need to reset the totp for the user to establish a new one.
mysql -u root -p use guacamoldb; SELECT user_id FROM guacamole_user INNER JOIN guacamole_entity ON guacamole_entity.entity_id = guacamole_user.entity_id WHERE guacamole_entity.name = 'guacadmin';
Now you get the userid of the user guacadmin which should be #1.
Reset totp for user with id #1.
UPDATE guacamole_user_attribute SET attribute_value='false' WHERE attribute_name = 'guac-totp-key-confirmed' and user_id = '1'; quit;