Adding 2 Factor Authentication to Guacamole through Duo and Yubikey

In order to do this you will need to grab the current duo extension as such:

wget https://gigenet.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-duo-0.9.13-incubating.tar.gz

Once downloaded, decompress and move it to the appropriate folder:

tar xzf guacamole-auth-duo-0.9.13-incubating.tar.gz && mkdir /etc/guacamole/extensions && mv ./guacamole-auth-duo-0.9.13-incubating/guacamole-auth-duo-0.9.13-incubating.jar /etc/guacamole/extensions/

Now add the Guacamole as an application to your Duo management page.  Select, Protect an Application under the Applications menu, then you will select the Web SDK application, rename it something like Guacamole.

Next you will need to edit your /etc/guacamole/guacamole.properties and add the following info to it from the Duo site (minus the last key):

duo-api-hostname: <Your API key found on the Duo site>
duo-integration-key: <Integration key found on the Duo site>
duo-secret-key: <Secret Key found on Duo site>
duo-application-key: <40 random characters, I used pwgen 40 1>

The duo-application-key is just any 40 characters that you save into this file, it is not found on the Duo site.  Once you add these to the bottom, restart the tomcat service.

Next you will need to ensure you have your token registered as per instructions here:
https://duo.com/docs/yubikey

Ensure the assigned user matches your Guacamole username and that if you are using the second token slot, you are holding the button on your Yubikey down for the token input (as well, make sure you are on token).

That's it!  Enjoy 2 factor authentication to your Guacamole server!


Comments

Post a Comment

Popular posts from this blog

Policy Based Routing on a Nexus

First of all, let's just admit, I am a collab guy, doing work on a Nexus is a foreign experience. While some things are intuitive not everything follows RFC's and the Nexus platform is a bit more restrictive. First of all, to get PBR going, I had to change the hardware profile, since I have no intention of using QoS internally in my lab, I decided to steal from it: hardware profile tcam region qos 0 hardware profile tcam region pbr 256 This then requires a reboot.  After this is done and the pbr feature is enabled: feature pbr You can get into creating the route-maps.  However, unlike IOS devices you can only use permits in your acl's and then use a deny statement on the route map itself: ip access-list PBR_DENY statistics per-entry 10 permit ip any 192.168.1.0/24 ip access-list PBR_PERMIT  statistics per-entry  10 permit ip any any route-map PBR_RULE pbr-statistics route-map PBR_RULE deny 10  match ip address PBR_DENY route-map PBR_R...
Read more

Cloudflare Calls API to SIP broker

Update: Given the amount of time I sacrifice to game development outside of collaboration work, my site has become defunct. Cloudflare has a calls beta. My intention is to create a SIP to API broker for the CMS and try to get their CDN working with it's anycast to beat out GeoDNS solutions. I will probably post more about this later here, however, don't expect me to be overly timely on it. Also, why is the Cisco Meeting Server doesn't grey out UI items that have been configured in the API so people don't make mistakes and cause conflicts? Why is it that Cisco doesn't publish the methodology by which all cospaces are assigned to callbridges/nodes at the time of build. I have many questions for many things that don't make sense these days and a lot of rants, but I will save those for some knowledge drops in the future. Take care everyone!
Read more