Max activation time for TOTP authentication with LDAP+mysql

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Max activation time for TOTP authentication with LDAP+mysql

Alex Kaiser

Is it possible to set a timeframe within the user has to activate his TOTP authentication on the first logon attempt?

For example 48hrs after the user was added to the mysql database. Otherwise the account would be disabled.

 

Kind Regards

 

Alex Kaiser

 

Reply | Threaded
Open this post in threaded view
|

Re: Max activation time for TOTP authentication with LDAP+mysql

vnick
On Wed, Nov 20, 2019 at 6:42 AM Alex Kaiser <[hidden email]> wrote:

Is it possible to set a timeframe within the user has to activate his TOTP authentication on the first logon attempt?

For example 48hrs after the user was added to the mysql database. Otherwise the account would be disabled.



There is no such feature in Guacamole today, no.

-Nick 
Reply | Threaded
Open this post in threaded view
|

AW: Max activation time for TOTP authentication with LDAP+mysql

Alex Kaiser
In reply to this post by Alex Kaiser

I found a solution for deactivating not completed TOTP activations

 

Use the valid_from field in the database for the first valid logon date

 

Execute the following queries against the database (mysql) within a cron job. In my case I used a max activation time of 7 days

 

UPDATE guacamole_user

SET guacamole_user.disabled=1

WHERE valid_from IS NULL;

 

UPDATE guacamole_user

LEFT JOIN guacamole_user_attribute

ON guacamole_user.user_id=guacamole_user_attribute.user_id

SET guacamole_user.disabled=1

WHERE (valid_from < NOW() - INTERVAL 7 DAY) AND guacamole_user_attribute.attribute_name IS NULL;

 

UPDATE guacamole_user

LEFT JOIN guacamole_user_attribute

ON guacamole_user.user_id=guacamole_user_attribute.user_id

SET guacamole_user.disabled=1

WHERE ((valid_from < NOW() - INTERVAL 7 DAY) AND (guacamole_user_attribute.attribute_name='guac-totp-key-confirmed')) AND (guacamole_user_attribute.attribute_value='false');

 

 

 

 

 

 

 

 

 

Von: Alex Kaiser
Gesendet: Mittwoch, 20. November 2019 12:42
An: [hidden email]
Betreff: Max activation time for TOTP authentication with LDAP+mysql

 

Is it possible to set a timeframe within the user has to activate his TOTP authentication on the first logon attempt?

For example 48hrs after the user was added to the mysql database. Otherwise the account would be disabled.

 

Kind Regards

 

Alex Kaiser

 

Reply | Threaded
Open this post in threaded view
|

Re: Max activation time for TOTP authentication with LDAP+mysql

vnick
On Wed, Nov 27, 2019 at 12:00 PM Alex Kaiser <[hidden email]> wrote:

I found a solution for deactivating not completed TOTP activations

 

Use the valid_from field in the database for the first valid logon date

 

Execute the following queries against the database (mysql) within a cron job. In my case I used a max activation time of 7 days

 

UPDATE guacamole_user

SET guacamole_user.disabled=1

WHERE valid_from IS NULL;

 

UPDATE guacamole_user

LEFT JOIN guacamole_user_attribute

ON guacamole_user.user_id=guacamole_user_attribute.user_id

SET guacamole_user.disabled=1

WHERE (valid_from < NOW() - INTERVAL 7 DAY) AND guacamole_user_attribute.attribute_name IS NULL;

 

UPDATE guacamole_user

LEFT JOIN guacamole_user_attribute

ON guacamole_user.user_id=guacamole_user_attribute.user_id

SET guacamole_user.disabled=1

WHERE ((valid_from < NOW() - INTERVAL 7 DAY) AND (guacamole_user_attribute.attribute_name='guac-totp-key-confirmed')) AND (guacamole_user_attribute.attribute_value='false');

 

 


Thanks for sharing the solution!  I'd still suggest that this be entered as a feature request, as I think it's something multiple people will find useful.  But it's good to have a work-around for the time being.

-Nick