TOTP MFA

TOTP is an open standard for multi-factor authentication. The user needs to have a mobile client installed such as the free Google Authenticator or Authy.

To enable TOTP for Guacamole, please follow the following steps.

1. SSH into the Guacamole instance as ec2-user.
2. Link the totp extension into the right location. Execute from /home/ec2-user:

   sudo ln -s ../available-extensions/guacamole-auth-totp-1.5.2/guacamole-auth-totp-1.5.2.jar \
     /home/ec2-user/guaws/guacamole/etc/extensions/
3. Restart the guacamole services with sudo systemctl restart guaws.
4. Enable the "Change own password" permission for all users. This permission can also be set on a group level.

After logging into Guacamole you will be greeted with a setup screen to pair your mobile device. Follow the instructions on the screen. All users will be required to setup TOTP before they can use Guacamole.