The properties listed here are only applicable if TOTP is being used as an additional authentication factor. Support for TOTP is installed using the glyptodon-guacamole-auth-totp package. If using the glyptodon/guacamole Docker image, support for TOTP is instead configured using environment variables.

TOTP issuer details

A human readable name must be associated with generated keys such that the user enrolling their authentication device will be able to easily distinguish the code they should use for this application vs. the other applications that same authentication device may be used for. This value does not affect the key generated nor handling of received codes; it only serves as a reference for the user.

Property nameDefault valueDescription
totp-issuerApache GuacamoleThe human-readable name of the entity issuing user accounts.

TOTP code generation

Most authentication devices supporting TOTP use 6-digit codes, a code period of 30 seconds, and the SHA-1 hash algorithm. These values are used as the defaults for code generation. If your requirements differ, these default values may be overridden.

Property nameDefault valueDescription
totp-digits6The number of digits which should be included in each generated code. TOTP allows for 6-, 7-, or 8-digit codes. Longer or shorter codes than this are not possible as they violate the TOTP standard.
totp-period30The duration that each generated code should remain valid, in seconds. The code generation period is given in positive integer seconds and may be any value, however the value should be long enough to allow the user a reasonable amount of time to enter their code. Their authentication device will generate a new code after this period elapses.
totp-modesha1

The hash algorithm that should be used to generate codes. Valid TOTP modes (hashes) are:

  • sha1
  • sha256
  • sha512

Before selecting a value which differs from the default (sha1), be sure to verify that your authentication devices support that hash.