Re-Authenticate Google TOTP on New Device

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re-Authenticate Google TOTP on New Device

eunosm3
I bought a new device, so I will lose access to the codes displayed by Google
Authenticator that I use for 2FA when I log into my Guacamole site.  How do
I set up the google authenticator on my new device so it works with my
pre-existing setup?  Is it a matter of displaying the QR code again?
Something different?  idk.  

I suppose I could remove the totp extension, restart guacd, add the
extension back and restart guacd again.  Any other methods, though?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Re-Authenticate Google TOTP on New Device

Wuhrlin, Alain
Hello

Search the key in the database :

select guacamole_user.user_id, guacamole_user.entity_id, name, attribute_value from guacamole_entity,guacamole_user,guacamole_user_attribute where guacamole_user_attribute.user_id = guacamole_user.user_id and guacamole_user.entity_id = guacamole_entity.entity_id and attribute_name = "guac-totp-key-secret" and name like 'user_name';

and manually enter the key in Google Authentificator


-----Message d'origine-----
De : eunosm3 <[hidden email]>
Envoyé : vendredi 10 juillet 2020 15:39
À : [hidden email]
Objet : Re-Authenticate Google TOTP on New Device

I bought a new device, so I will lose access to the codes displayed by Google Authenticator that I use for 2FA when I log into my Guacamole site.  How do I set up the google authenticator on my new device so it works with my pre-existing setup?  Is it a matter of displaying the QR code again?
Something different?  idk.  

I suppose I could remove the totp extension, restart guacd, add the extension back and restart guacd again.  Any other methods, though?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

wla
Reply | Threaded
Open this post in threaded view
|

AW: Re-Authenticate Google TOTP on New Device

wla
In reply to this post by eunosm3
Take my this script guacamole_resetTOTP.sh:
Try also the hidden Option "-s" 😊

#!/bin/bash
# wla, 06.06.2020: created

if [[ "$#" = "0" ||  "$#" -gt 2 || "$1" = "-h" ]] ; then
  echo "$0 [GUAC_USER]"
  exit 0
fi

SQL=/usr/bin/mysql
DB=guacamole
USER="$1"

# check if user exists
echo -e "Check user \"${USER}\" ... \c"
ENTITY_ID=$(${SQL} ${DB} -Bse "select entity_id from guacamole_entity where name='${USER}';")
test -n "${ENTITY_ID}" && USER_ID=$(${SQL} ${DB} -Bse "select user_id from guacamole_user where entity_id='${ENTITY_ID}';")

if [[ -z "${ENTITY_ID}" || -z "${USER_ID}" ]] ; then
  echo -e "Not exist ... exit\n"
  exit
else
  echo -e "Found\n   user ${USER}, entity_id=${ENTITY_ID}, user_id=${USER_ID}\n"
fi


# before reset
IS_TOTP=$(${SQL} ${DB} -Bse "select attribute_value from guacamole_user_attribute where attribute_name='guac-totp-key-confirmed' and user_id='${USER_ID}';")
if [ -z "${IS_TOTP}" ] ; then
  echo "No TOTP initialization found for user \"${USER}\" ... nothing to do ... exit"
  exit
else
  if [ "$2" = "-s" ] ; then
    # dump the secret to stdout
    ${SQL} ${DB} -Bse "select attribute_value from guacamole_user_attribute where attribute_name='guac-totp-key-secret' and user_id='${USER_ID}';"
    exit
  fi
  echo -e "TOTP configured before reset: ${IS_TOTP}"
fi


# ask
read -p "Reset TOTP for user ${USER}? [ (y)es/(n)o ]: " KEY
if [ "${KEY}" != "y" -a "${KEY}" != "Y" ] ; then
  echo -e "Cancel ...\n"
  exit 0
fi

# new secret will be generated
${SQL} ${DB} -Bse "delete from guacamole_user_attribute where user_id='${USER_ID}';"

# after reset
IS_TOTP=$(${SQL} ${DB} -Bse "select attribute_value from guacamole_user_attribute where attribute_name='guac-totp-key-confirmed' and user_id='${USER_ID}';")
if [ -n  "${IS_TOTP}" ] ; then
  echo "!!! Error, please check ... !!!"
  exit 1
else
  echo "TOTP reset for user \"${USER}\" was successful!"
fi

echo ""



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Re-Authenticate Google TOTP on New Device

vnick
In reply to this post by eunosm3
On Fri, Jul 10, 2020 at 9:39 AM eunosm3 <[hidden email]> wrote:
I bought a new device, so I will lose access to the codes displayed by Google
Authenticator that I use for 2FA when I log into my Guacamole site.  How do
I set up the google authenticator on my new device so it works with my
pre-existing setup?  Is it a matter of displaying the QR code again?
Something different?  idk. 

I suppose I could remove the totp extension, restart guacd, add the
extension back and restart guacd again.  Any other methods, though?



-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Re-Authenticate Google TOTP on New Device

eunosm3
In reply to this post by eunosm3
Alain and wla,

Thanks for responding.  I'll try the solutions today to find out if I can
make one or the other work.  Both *should*, but I'm not surprised when
challenges that shouldn't happen, do happen anyway. =)



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Re-Authenticate Google TOTP on New Device

eunosm3
In reply to this post by vnick
Nick,

Good to know it's already on the list of  feature requests.  I'm running a
tiny group of users (family), so manual updates are feasible for me.  



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]