guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Jumper (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GUACAMOLE-96) Two factor authentication with Google Authenticator
Date Mon, 29 Aug 2016 18:49:21 GMT

    [ https://issues.apache.org/jira/browse/GUACAMOLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446729#comment-15446729
] 

Michael Jumper commented on GUACAMOLE-96:
-----------------------------------------

{quote}
Is this a feature you would like me to work on and contribute?
{quote}

Yes, please!

{quote}
Am I right that it is currently not possible to add an API endpoint just using guacamole-ext
to provide the QR codes?
{quote}

The extension API does not provide for custom REST endpoints, correct. However:

# This could be added, if necessary. It's something we've occasionally thought of doing. If
lacking such capabilities blocks adding this sort of feature, I'd say we should work on that
as well.
# If all you need to do is to provide additional information within an authentication response,
this does not require a custom REST endpoint. You can add arbitrary data to the Field objects
included in the GuacamoleInsufficientCredentialsException, and define a custom field type
with your extension's JavaScript.

{quote}
So far I have got Google Authenticator "kinda working". What I did is:
* Started with guacamole-auth-jdbc as base
* Added a secret key to a user account that is randomly generated upon creation. Also added
a boolean field to indicate wether TFA is required for loggin in.
* Used the GuacamoleInsufficientCredentialsException to redirect the user the a second screen
asking for a TFA code after logging in with the username and password.
{quote}

Extensions can rely on other extensions for the first level of auth, so there's no need to
create a fork of guacamole-auth-jdbc. An MFA extension can be much simpler, merely augmenting
any existing authentication result and either (1) allowing it through or (2) vetoing it with
a GuacamoleInsufficientCredentialsException. Ideally, this should be kept as a separate authentication
layer (a separate extension) which is placed beneath the primary authentication mechanism
(any other extension), whether that be MySQL, PostgreSQL, LDAP, or something custom.


> Two factor authentication with Google Authenticator
> ---------------------------------------------------
>
>                 Key: GUACAMOLE-96
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-96
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-jdbc, guacamole-client
>            Reporter: L.J. van Ruiten
>            Priority: Trivial
>
> We have a few critical systems that are accessible through Guacamole and we have had
some clients requesting a safer way to login. Two factor authentication is probably the best
and easiest way to improve on the current username/password login, and I can imagine that
this is something that other companies using Guacamole would also be interesting in this feature.
> I already did some tinkering myself and I found that Google Auhtenticator is simple to
use, does not require any configuration (like you would with SMS codes) easy to implement
and the "client" side of the authentication (the part that generates the codes) is easily
integrated into existing apps.
> So far I have got Google Authenticator "kinda working". What I did is:
> - Started with guacamole-auth-jdbc as base
> - Added a secret key to a user account that is randomly generated upon creation. Also
added a boolean field to indicate wether TFA is required for loggin in.
> - Used the GuacamoleInsufficientCredentialsException to redirect the user the a second
screen asking for a TFA code after loggin in with the username and password.
> However as said before this only "kinda works" because:
> I have only gotten the TFA enable button to appear in the user's managing page, so it
can only be enabled by administrators and that's also where I put the secret key shows up,
so users can't find it themself.
> For as far as I could find the previous point cannot be done with just the guacamole-ext
api. Even with the new API that enables you to insert HTML parts, you would also need an API
endpoint to provide the secret key or ideally generate a QR code that Google Auhtenticator
can read to bind a device to the account (I would like it to appear in the user's preference
page). 
> So in summary if other people are interested I would be willing to contribute this, but
I would need some directions and I have a few questions:
> - Am I right that it is currently not possible to add an API endpoint just using guacamole-ext
to provide the QR codes?
> - What would be the way to implement this? Personally I thought that adding these options
to the user's page would be the easiest.
> - Is this a feature you would like me to work on and contribute?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message