I’ve implemented Guacamole for remote access, for the time being it uses the builtin OTP module. In the future I might migrate to LemonLDAP or Keycloak for 2FA, for the time being the solution if good enough and works with zero configuration after module installation 🙂

Multifactor Enrollment

My particular setup is pulling users from FreeIPA through LDAP, but also uses MySQL as a supplement to handle the connections definitions and things like the OTP plugin information.

From time to time, an user would need to re-enroll a device because the original device was stolen or reset. Did a quick search, but couldn’t find a clean/easy option to reset it from the GUI in version 1.3.0.

As a quick fix (don’t want to have to rethink this each time a user has this requirement), I created a simple script to do the job for me.

All you need to do is setup your mysql DB connection in ~/.my.cnf and get the script from here:


In most Linux machines, you can copy it to ~/bin/.

mkdir ~/bin
cd ~/bin
wget https://raw.githubusercontent.com/ciroiriarte/sysadmin-scripts/main/guacamole-reset-user-otp.sh
chmod +x guacamole-reset-user-otp.sh

If you run the script with no options, it will show you the syntax

Usage: /home/me/bin/guacamole-reset-user-otp.sh <username>
      /home/me/bin/guacamole-reset-user-otp.sh ciro.iriarte

And the execution should be as simple as:

guacamole-reset-user-otp.sh the.user