Using TOTP for multi-factor authentication

Guacamole supports TOTP as a second authentication factor, layered on top of any other authentication extension, including those available from the main project website, providing base requirements for key storage and enrollment are met. The TOTP authentication extension allows users to be additionally verified against a user-specific and secret key generated during enrollment of their authentication device.

Warning

You will need to restart the Guacamole web application in order to complete configuration. Doing this will disconnect all active users, so please:

• Do this only at a time that you can tolerate service unavailability, such as a scheduled maintenance window.

• Keep in mind that configuration errors may prevent Guacamole from starting back up.

Prerequisites

The enrollment process used by Guacamole’s TOTP support needs to be able to store an automatically-generated key within the user’s account. Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions.

It is thus recommended that authentication against a database be fully configured prior to setting up TOTP. Instructions walking through the setup of database authentication for Guacamole are provided in Database authentication.

How TOTP works with Guacamole

Guacamole provides support for TOTP as a second authentication factor. To make use of the TOTP authentication extension, some other authentication mechanism will need be configured, as well. When a user attempts to log into Guacamole, other installed authentication methods will be queried first:

Only after authentication has succeeded with one of those methods will Guacamole prompt the user to further verify their identity with an authentication code:

If both the initial authentication attempt and verification using TOTP succeed, the user will be allowed in. If either mechanism fails, access to Guacamole is denied.

Enrollment

If the user does not yet have a TOTP key associated with their account (they have not yet completed enrollment), they will be required to enroll an authentication device after passing the first authentication factor. A QR code containing an automatically-generated key will be presented to the user to be scanned by their authentication app or device:

If the authentication device does not support scanning QR codes for enrollment, the details within the QR code can be revealed by clicking the “Show” link next to the “Details” header. These values can then be entered manually:

Enrollment is completed once the user enters a valid authentication code generated by their device using the provided key.

Important

If the user does not confirm/complete the enrollment process, the next time the user logs in they will be asked to go through the enrollment process, again, and the TOTP data will be regenerated. This means the previously-scanned QR code and TOTP codes generated with the use of that code will be invalid.

Reseting TOTP Data

It may become necessary for certain users to clear their TOTP key and/or force them to re-confirm enrollment, such as in situations where a user loses their phone and needs to reconfigure TOTP. The user’s existing TOTP key can be cleared by checking the “Clear TOTP secret” box in the user interface and then saving the user configuration. The next time that the user logs in, they will be given a new key (QR code) and forced to re-enroll.

If you simply want a user to be able to re-configure an existing key, without resetting the secret, you can un-check the box marked “TOTP key confirmed” and save the user configuration, and the user will be presented with the QR code at next login and asked to confirm it.

Disabling TOTP for users or groups

In versions of Guacamole prior to 1.6.0, installing and configuring the TOTP module meant that all Guacamole users would be required to enroll in and successfully authenticate via the TOTP factor. Starting with 1.6.0 the TOTP requirement can be disabled on a per-user or per-group basis, allowing administrators more flexibility in configuring the TOTP requirement.

By default all users will still be required to authenticate with TOTP, however the requirement can be disabled by checking the “Disable TOTP” checkbox. This can be done for an individual user account, but it can also be disabled for a group resulting in the TOTP requirement being disabled for any members of the group.

Installing/Enabling the TOTP extension

Guacamole is configured differently depending on whether Guacamole was installed natively or using the provided Docker images. The documentation here covers both methods.

Native Webapp (Tomcat)

Native installations of Guacamole under Apache Tomcat or similar are configured by modifying the contents of GUACAMOLE_HOME (Guacamole’s configuration directory), which is located at /etc/guacamole by default and may need to be created first:

1. Download guacamole-auth-totp-1.6.0.tar.gz from the release page for Apache Guacamole 1.6.0 and extract it.

2. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist.

3. Copy the guacamole-auth-totp-1.6.0.jar file from the contents of the archive to GUACAMOLE_HOME/extensions/.

4. Proceed with the configuring Guacamole for the newly installed extension as described below. The extension will be loaded after Guacamole has been restarted.

Note

Download and documentation links for all officially supported extensions for a particular version of Guacamole are always provided in the release notes for that version. The copy of the documentation you are reading now is from Apache Guacamole 1.6.0.

If you are using a different version of Guacamole, please locate that version within the release archives and consult the documentation for that release instead.

Container (Docker)

Docker installations of Guacamole include a bundled copy of Apache Tomcat and are configured using environment variables. The startup process of the Docker image automatically populates GUACAMOLE_HOME (Guacamole’s configuration directory) based on the values of these variables.

If deploying Guacamole using Docker Compose:

You will need to add at least one relevant environment variable to the environment section of your guacamole/guacamole container, such as the TOTP_ENABLED environment variable:

TOTP_ENABLED: "true"

If instead deploying Guacamole by running docker run manually:

The same environment variable(s) will need to be provided using the -e option. For example:

$ docker run --name some-guacamole \
    -e TOTP_ENABLED="true" \
    -d -p 8080:8080 guacamole/guacamole

If TOTP_ENABLED is set to false, the extension will NOT be installed, even if other related environment variables have been set. This can be used to temporarily disable usage of an extension without needing to remove all other related configuration.

You don’t strictly need to set TOTP_ENABLED if other related environment variables are provided, but the extension will be installed only if at least one related environment variable is set.

Configuration (optional)

Native Webapp (Tomcat)

With the exception of the storage and permission requirements described above, the TOTP extension should work out-of-the-box without any additional configuration. Defaults have been chosen for all configuration parameters such that the TOTP extension will be compatible with Google Authenticator and similar, popular TOTP implementations.

Warning

Some TOTP applications assume these defaults and silently ignore any other values. Google Authenticator is such an application. Be sure your authenticator application supports the values you intend to use before overriding the defaults.

totp-issuer

The human-readable name of the entity issuing user accounts. If not specified, “Apache Guacamole” will be used by default.

totp-digits

The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8. By default, 6-digit codes are generated.

totp-period

The duration that each generated code should remain valid, in seconds. By default, each code remains valid for 30 seconds.

totp-mode

The hash algorithm that should be used to generate TOTP codes. Legal values are “sha1”, “sha256”, and “sha512”. By default, “sha1” is used.

Container (Docker)

With the exception of the storage and permission requirements described above, the TOTP extension should work out-of-the-box without any additional configuration. Defaults have been chosen for all configuration parameters such that the TOTP extension will be compatible with Google Authenticator and similar, popular TOTP implementations.

Warning

Some TOTP applications assume these defaults and silently ignore any other values. Google Authenticator is such an application. Be sure your authenticator application supports the values you intend to use before overriding the defaults.

TOTP_ISSUER

The human-readable name of the entity issuing user accounts. If not specified, “Apache Guacamole” will be used by default.

TOTP_DIGITS

The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8. By default, 6-digit codes are generated.

TOTP_PERIOD

The duration that each generated code should remain valid, in seconds. By default, each code remains valid for 30 seconds.

TOTP_MODE

The hash algorithm that should be used to generate TOTP codes. Legal values are “sha1”, “sha256”, and “sha512”. By default, “sha1” is used.

Bypass/Enforce TOTP for Specific Hosts

Native Webapp (Tomcat)

By default, when the TOTP module is enabled, TOTP-based MFA will be enforced for all users that attempt to log in to Guacamole, regardless of where they are connecting from. Depending on your use case, it may be necessary to narrow this behavior and only enforce TOTP-based MFA for certain hosts and bypass it for others.

Warning

If you will be configuring Guacamole to consider users’ IP addresses, it is important to make sure that Guacamole is receiving correct IP address information for all clients.

If Guacamole is behind a reverse proxy, such as for SSL termination, the IP addresses of all users will appear to be the IP address of the proxy unless additional configuration steps are taken. Be sure to follow the documentation for configuring forwarding of client IP information!

TOTP-based MFA can be explicitly bypassed or enforced on a per-host basis by providing the relevant, exhaustive list of addresses/networks using either of the following properties:

totp-bypass-hosts

A comma-separated list of all IP addresses and/or subnets (in CIDR notation) that SHOULD NOT be required to verify themselves using TOTP when authenticating. All other hosts in this list will required to verify with TOTP.

If both bypass and enforce lists are provided, the enforce list takes priority and this property is effectively ignored.

This property is optional. By default, verification will be required for all users regardless of their IP address (TOTP is not bypassed for any addresses).

totp-enforce-hosts

A comma-separated list of all IP addresses and/or subnets (in CIDR notation) that SHOULD be required to verify themselves using TOTP when authenticating. All other hosts will not be required to verify with TOTP.

If both bypass and enforce lists are provided, the enforce list takes priority and the bypass list is effectively ignored.

This property is optional. By default, verification will be required for all users regardless of their IP address (TOTP is enforced for all addresses).

Container (Docker)

By default, when the TOTP module is enabled, TOTP-based MFA will be enforced for all users that attempt to log in to Guacamole, regardless of where they are connecting from. Depending on your use case, it may be necessary to narrow this behavior and only enforce TOTP-based MFA for certain hosts and bypass it for others.

Warning

If you will be configuring Guacamole to consider users’ IP addresses, it is important to make sure that Guacamole is receiving correct IP address information for all clients.

If Guacamole is behind a reverse proxy, such as for SSL termination, the IP addresses of all users will appear to be the IP address of the proxy unless additional configuration steps are taken. Be sure to follow the documentation for configuring forwarding of client IP information!

TOTP-based MFA can be explicitly bypassed or enforced on a per-host basis by providing the relevant, exhaustive list of addresses/networks using either of the following environment variables:

TOTP_BYPASS_HOSTS

A comma-separated list of all IP addresses and/or subnets (in CIDR notation) that SHOULD NOT be required to verify themselves using TOTP when authenticating. All other hosts in this list will required to verify with TOTP.

If both bypass and enforce lists are provided, the enforce list takes priority and this property is effectively ignored.

This property is optional. By default, verification will be required for all users regardless of their IP address (TOTP is not bypassed for any addresses).

TOTP_ENFORCE_HOSTS

A comma-separated list of all IP addresses and/or subnets (in CIDR notation) that SHOULD be required to verify themselves using TOTP when authenticating. All other hosts will not be required to verify with TOTP.

If both bypass and enforce lists are provided, the enforce list takes priority and the bypass list is effectively ignored.

This property is optional. By default, verification will be required for all users regardless of their IP address (TOTP is enforced for all addresses).

Completing installation

Native Webapp (Tomcat)

Guacamole will only reread its configuration and load newly-installed extensions during startup, so Tomcat will need to be restarted before these changes can take effect. Restart Tomcat and give the new functionality a try.

You do not need to restart guacd.

Hint

If Guacamole does not come back online after restarting Tomcat, check the logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in Tomcat’s logs.

Container (Docker)

The environment variables that configure the behavior of Docker can only be set at the time the Docker container is created. To apply these configuration changes, you will need to recreate the container.

If your Guacamole container was deployed using Docker Compose:

Simply making the desired changes to your docker-compose.yml and running docker compose up is sufficient. Docker Compose will automatically recognize that the environment variables of the container have changed and recreate it.

If your Guacamole container was deployed manually (using docker run):

You wll need to manually use docker rm to remove the old container and then manually recreate it with docker run and the new environment variables.

Hint

If Guacamole does not come back online after recreating the container, check the Docker logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in the Docker logs for the Guacamole container.