Guacamole

How to access remote desktops and command line interfaces from any browser with Guacamole remote desktop gateway



guacamole.gif


Installation

pacman -Syu adobe-source-code-pro-fonts pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber pipewire-docs helvum freerdp libwebsockets mariadb tomcat9 tomcat-native && yay -Syu guacamole-server guacamole-client

Manual guacamole client installation

wget https://apache.org/dyn/closer.lua/guacamole/1.4.0/binary/guacamole-1.4.0.war?action=download
mv guacamole-1.4.0.war /usr/share/guacamole/guacamole.war

Apache Tomcat Servlet

ln -s /usr/share/guacamole/guacamole.war /var/lib/tomcat9/webapps

/etc/tomcat9/tomcat-users.xml
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="tomcat" password="PASSWORD1" roles="tomcat"/>
  <user username="manager" password="PASSWORD2" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
  <user username="admin" password="PASSWORD3" roles="admin-gui"/>
</tomcat-users>

systemctl enable tomcat9

Database authentication

Installing MariaDB/MySQL system tables.

mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
systemctl enable mariadb
systemctl start mariadb

Improve initial security with recommended security measures, such as removing anonymous accounts and removing the test database.

mysql_secure_installation

When prompted to “Switch to unix_socket authentication” enter n for No.


Listen only on the loopback address

/etc/my.cnf.d/server.cnf
[mysqld]
bind-address = localhost

systemctl restart mariadb

Create Guacamole database

mysql -u root -p

CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'PASSWORD';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit;


Install MySQL extensions for Guacamole

mkdir /etc/guacamole/{extensions,lib}
chmod 755 /etc/guacamole/extensions
chmod 755 /etc/guacamole/lib
echo 'GUACAMOLE_HOME=/etc/guacamole' >> /etc/default/tomcat9

Download the MySQL extension https://guacamole.apache.org/releases/

cd /etc/guacamole/extensions/
wget https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-jdbc-1.4.0.tar.gz
tar -vxf guacamole-auth-jdbc-1.4.0.tar.gz

Write SQL schema files into the MySQL database

cat /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/schema/*.sql | mysql guacamole_db

Copy the extension

cp /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/guacamole-auth-jdbc-mysql-1.4.0.jar /etc/guacamole/extensions/
chmod 644 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.4.0.jar

Download the JDBC driver https://dev.mysql.com/downloads/connector/j/

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.29.tar.gz
tar -vxf mysql-connector-java-8.0.29.tar.gz
cp mysql-connector-java-8.0.29/mysql-connector-java-8.0.29.jar /etc/guacamole/lib/
chmod 644 /etc/guacamole/lib/mysql-connector-java-8.0.29.jar

Configuring the client to use the database

/etc/guacamole/guacamole.properties
# Hostname and Guacamole server port
guacd-hostname: localhost
guacd-port: 4822

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: PASSWORD

chmod 644 /etc/guacamole/guacamole.properties
chmod 644 /etc/guacamole/guacd.conf
systemctl enable guacd

Logging in

http://localhost:8080/guacamole

The default Guacamole user created by the provided SQL scripts is guacadmin, with a default password of guacadmin.

Warning

Before continuing with configuring Guacamole, it’s recommended that you create a new admin account and delete the original.


Create a new SSH connection using public key authentication

ssh-public-key.png

Generate key pair in PEM format on Guacamole machine

ssh-keygen -t rsa -b 4096 -m PEM

Tip

Debug sshd

journalctl -t sshd -b0

Find out Public host key (Base64) on the machine you want to connect to

ssh-keyscan -t ecdsa 192.168.0.204 2>&1 | grep ecdsa

Setup SSH server on the machine you want to connect to

/etc/ssh/sshd_config
AuthenticationMethods publickey
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
PasswordAuthentication no

Fix RDP connection issues

Note

Guacamole server (guacd) service runs as user daemon by default.

ps aux | grep -v grep | grep guacd

Create a guacd system user account which can be used to run guacd instead of running as daemon user.

useradd -M -d /var/lib/guacd/ -r -s /sbin/nologin -c "Guacd" guacd
mkdir /var/lib/guacd
chown -R guacd: /var/lib/guacd

Change the Guacd service user

/usr/lib/systemd/system/guacd.service
[Unit]
Description=Guacamole Server
Documentation=man:guacd(8)
After=network.target

[Service]
User=guacd
ExecStart=/usr/bin/guacd -f
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

Write protect Guacamole service

chattr +i /usr/lib/systemd/system/guacd.service