Guacamole

How to access remote desktops and command line interfaces from any browser with Guacamole remote desktop gateway

Installation

pacman -Syu adobe-source-code-pro-fonts pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber pipewire-docs helvum freerdp libwebsockets mariadb tomcat9 tomcat-native && yay -Syu guacamole-server guacamole-client

Manual guacamole client installation

wget https://apache.org/dyn/closer.lua/guacamole/1.4.0/binary/guacamole-1.4.0.war?action=download

mv guacamole-1.4.0.war /usr/share/guacamole/guacamole.war

Apache Tomcat Servlet

ln -s /usr/share/guacamole/guacamole.war /var/lib/tomcat9/webapps

/etc/tomcat9/tomcat-users.xml

<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="manager-status"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-script"/>
  <user username="tomcat" password="PASSWORD1" roles="tomcat"/>
  <user username="manager" password="PASSWORD2" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
  <user username="admin" password="PASSWORD3" roles="admin-gui"/>
</tomcat-users>

systemctl enable tomcat9

Database authentication

Installing MariaDB/MySQL system tables.

mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql

systemctl enable mariadb

systemctl start mariadb

Improve initial security with recommended security measures, such as removing anonymous accounts and removing the test database.

mysql_secure_installation

When prompted to “Switch to unix_socket authentication” enter n for No.

Listen only on the loopback address

/etc/my.cnf.d/server.cnf

[mysqld]
bind-address = localhost

systemctl restart mariadb

Create Guacamole database

mysql -u root -p

CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'PASSWORD';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit;

Install MySQL extensions for Guacamole

mkdir /etc/guacamole/{extensions,lib}

chmod 755 /etc/guacamole/extensions

chmod 755 /etc/guacamole/lib

echo 'GUACAMOLE_HOME=/etc/guacamole' >> /etc/default/tomcat9

Download the MySQL extension https://guacamole.apache.org/releases/

cd /etc/guacamole/extensions/

wget https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-jdbc-1.4.0.tar.gz

tar -vxf guacamole-auth-jdbc-1.4.0.tar.gz

Write SQL schema files into the MySQL database

cat /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/schema/*.sql | mysql guacamole_db

Copy the extension

cp /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/guacamole-auth-jdbc-mysql-1.4.0.jar /etc/guacamole/extensions/

chmod 644 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.4.0.jar

Download the JDBC driver https://dev.mysql.com/downloads/connector/j/

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.29.tar.gz

tar -vxf mysql-connector-java-8.0.29.tar.gz

cp mysql-connector-java-8.0.29/mysql-connector-java-8.0.29.jar /etc/guacamole/lib/

chmod 644 /etc/guacamole/lib/mysql-connector-java-8.0.29.jar

Configuring the client to use the database

/etc/guacamole/guacamole.properties

# Hostname and Guacamole server port
guacd-hostname: localhost
guacd-port: 4822

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: PASSWORD

chmod 644 /etc/guacamole/guacamole.properties

chmod 644 /etc/guacamole/guacd.conf

systemctl enable guacd

Logging in

http://localhost:8080/guacamole

The default Guacamole user created by the provided SQL scripts is guacadmin, with a default password of guacadmin.

Warning

Before continuing with configuring Guacamole, it’s recommended that you create a new admin account and delete the original.

Create a new SSH connection using public key authentication

Generate key pair in PEM format on Guacamole machine

ssh-keygen -t rsa -b 4096 -m PEM

Tip

Debug sshd

journalctl -t sshd -b0

Find out Public host key (Base64) on the machine you want to connect to

ssh-keyscan -t ecdsa 192.168.0.204 2>&1 | grep ecdsa

Setup SSH server on the machine you want to connect to

/etc/ssh/sshd_config

AuthenticationMethods publickey
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
PasswordAuthentication no

Fix RDP connection issues

Note

Guacamole server (guacd) service runs as user daemon by default.

ps aux | grep -v grep | grep guacd

Create a guacd system user account which can be used to run guacd instead of running as daemon user.

useradd -M -d /var/lib/guacd/ -r -s /sbin/nologin -c "Guacd" guacd

mkdir /var/lib/guacd

chown -R guacd: /var/lib/guacd

Change the Guacd service user

/usr/lib/systemd/system/guacd.service

[Unit]
Description=Guacamole Server
Documentation=man:guacd(8)
After=network.target

[Service]
User=guacd
ExecStart=/usr/bin/guacd -f
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

Write protect Guacamole service

chattr +i /usr/lib/systemd/system/guacd.service