Resetting Guacamole OTP for an user

I’ve implemented Guacamole for remote access, for the time being it uses the builtin OTP module. In the future I might migrate to LemonLDAP or Keycloak for 2FA, for the time being the solution if good enough and works with zero configuration after module installation 🙂

Chapter 9. TOTP two-factor authentication

My particular setup is pulling users from FreeIPA through LDAP, but also uses MySQL as a supplement to handle the connections definitions and things like the OTP plugin information.

From time to time, an user would need to re-enroll a device because the original device was stolen or reset. Did a quick search, but couldn’t find a clean/easy option to reset it from the GUI in version 1.3.0.

As a quick fix (don’t want to have to rethink this each time a user has this requirement), I created a simple script to do the job for me.

All you need to do is setup your mysql DB connection in ~/.my.cnf and get the script from here:

In most Linux machines, you can copy it to ~/bin/.

mkdir ~/bin
chmod +x

If you run the script with no options, it will show you the syntax

Usage: /home/me/bin/ <username>
      /home/me/bin/ ciro.iriarte

And the execution should be as simple as: the.user