> For the complete documentation index, see [llms.txt](https://newdocs.keeper.io/kcm-linux-rpm-method/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/using-duo-for-multi-factor-authentication.md).

# Add Duo for MFA

Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. To make use of Duo support, some other authentication mechanism will need be configured, as well, such as[ MySQL](/kcm-linux-rpm-method/authentication/using-keeper-connection-manager-with-a-mysql-database.md),[ PostgreSQL](/kcm-linux-rpm-method/authentication/using-keeper-connection-manager-with-a-postgresql-database.md), or[ LDAP](/kcm-linux-rpm-method/authentication/authenticating-users-with-ldap/using-ldap-with-a-database.md). Only once authentication has succeeded through another installed method will Duo be used to verify the identity of the user.

### Installing Duo support for Guacamole <a href="#id-.usingduoformultifactorauthenticationv2.x-installingduosupportforguacamole" id="id-.usingduoformultifactorauthenticationv2.x-installingduosupportforguacamole"></a>

Keeper Connection Manager packages Guacamole’s Duo support within the kcm-guacamole-auth-duo package:

```
$ sudo yum install kcm-guacamole-auth-duo
```

The Guacamole-side installation of Duo support within Keeper Connection Manager consists solely of the kcm-guacamole-auth-duo package. Nothing else needs to be installed except for Guacamole itself and some other means of authentication. If Guacamole has not yet been installed and confirmed to work with some other authentication method, that should be done first before attempting to set up Duo.

### Registering Guacamole with Duo <a href="#id-.usingduoformultifactorauthenticationv2.x-registeringguacamolewithduo" id="id-.usingduoformultifactorauthenticationv2.x-registeringguacamolewithduo"></a>

For Duo to be integrated with any application, that specific instance of the application must first be registered with the Duo service. Duo does not provide a specific integration option for Guacamole, but Guacamole’s Duo support uses Duo’s generic authentication API which they refer to as the “Web SDK”. To use your Guacamole deployment with Duo, you will need to add it to your Duo account as a new “Web SDK” application from within the “Applications” tab of the admin panel.

Once this has been done, Duo will expose several properties specific to your Guacamole deployment: the integration key, secret key, and API hostname. These values can be found within the application’s “Details” section in your Duo account, and will need to be copied into `/etc/guacamole/guacamole.properties`:

```
$ sudo vi /etc/guacamole/guacamole.properties
```

The relevant properties can be found in the “DUO-1” section:

```
##
## [DUO-1] Duo application integration details
##
## The API hostname, integration key, and secret key provided for you by Duo
## when you registered Guacamole in Duo's "Admin" panel. Each of these values
## is required and is generated by Duo.
##

#duo-api-hostname:    XXXXXXXX.duosecurity.com
#duo-integration-key: 0123456789ABCDEF0123
#duo-secret-key:      0123456789ABCDEF0123
```

### Generating the application key <a href="#id-.usingduoformultifactorauthenticationv2.x-generatingtheapplicationkey" id="id-.usingduoformultifactorauthenticationv2.x-generatingtheapplicationkey"></a>

The Duo “Web SDK” requires that an arbitrary and random key be generated for each application. This key resides strictly on the side of the application, and is not registered with Duo.

Any random value containing at least 40 characters will suffice. To quickly grab 40 random characters from `/dev/random`:

```
$ tr -dc 'a-zA-Z0-9' < /dev/random | head -c40; echo
xqZKJODwg7ouwxdqU9hvuaWhE6lQFspijY0ofg8I
$
```

This value must then be copied within the duo-application-key property, which can be found in the "DUO-2" section of `guacamole.properties`:

```
##
## [DUO-2] Duo application key
##
## An arbitrary and random key to use when communicating with the Duo service.
## This key MUST be manually generated, and MUST BE AT LEAST 40 CHARACTERS.
##

#duo-application-key: abcdefghijklmnopqrstuvwxyz0123456789ABCD
```

### Completing installation <a href="#id-.usingduoformultifactorauthenticationv2.x-completinginstallation" id="id-.usingduoformultifactorauthenticationv2.x-completinginstallation"></a>

Guacamole will generally only load new extensions and reread `guacamole.properties` during the startup process. To apply the configuration changes, Guacamole must be restarted:

```
$ sudo systemctl restart guacamole
```

{% hint style="info" %}
**If you do not have a standalone "guacamole" service** \
You will not have a standalone "guacamole" service if you have not deployed Guacamole automatically with the "kcm-guacamole-standalone" package. This will be the case if:

* You have chosen to manually deploy Guacamole under your own install of Apache Tomcat or JBoss, rather than use the provided version of Tomcat.
* You are maintaining a deployment of Glyptodon Enterprise that was originally installed before[ the 2.5 release](https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/pages/ZqnMdyCaG68yVINbbLIh#id-.changelogv2.x-2.52.5version2.5) (2021-09-16).

You will instead need to manually restart your install of Tomcat:

```
$ sudo systemctl restart tomcat
```

{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/using-duo-for-multi-factor-authentication.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.