Guacamole Package?

@davidep is the better interlocutor than me to speak about ldap, but I guess it is not a good idea to write information in ldap, it is here to store really sensitive informations. The idea to store guac informations in a mysql database sounds better.

Bumping this to let everyone know Guacamole 0.9.10-Incubating is now officially out, this is the first release since it was added to apache incubator

https://guacamole.incubator.apache.org/releases/0.9.10-incubating/

Cheers!

4 Likes

I’d like to add this amazing module to NethServer. How can we start? Any volunteer?
I can offer a prize :beers:
@Adam @jackyes @edi @Ctek @sitz @Hunv @dz00te @edi

4 Likes

I should have a working howto for Guacamole 0.9.10 on NS7, which is pretty much the same as the one posted by Adam plus other things to use its latest features and Letsencrypt

Would that be useful to start?

7 Likes

Yes! It’s time to do something…

@edi can you share your howto?

4 Likes

#Install guacamole on NS7

Install prerequisites

  • Install from GUI:
    OpenLDAP
    Firewall Base
    MariaDB (MySQL)
    Reverse Proxy
    Web Server

Now from console

yum update

Install needed packages, you can remove some of them based on the features you want enabled on guacamole, http://guacamole.incubator.apache.org/doc/0.9.10-incubating/gug/installing-guacamole.html

yum install cairo-devel libjpeg-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel libvorbis-devel libwebp-devel nethserver-tomcat gcc

  • ffmpeg is not found in EPEL, I got it from nux dextop repo…

rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm

  • Disable the repo to avoid unintentional updates from it

vi /etc/yum.repos.d/nux-dextop.repo
Set enabled=0 and save

  • Install ffmpeg

yum install --enablerepo=nux-dextop ffmpeg ffmpeg-devel

#Get guacamole and related parts

cd /opt/

Place here:
- guacamole-server-0.9.10-incubating.tar.gz
- guacamole-0.9.10-incubating.war
- guacamole-auth-jdbc-0.9.10-incubating.tar.gz
- mysql-connector-java-5.1.38.tar.gz

You can get the server parts from https://guacamole.incubator.apache.org/releases/0.9.10-incubating/ and the java connector from https://dev.mysql.com/downloads/connector/j/

tar -xzf guacamole-server-0.9.10-incubating.tar.gz

mv guacamole-server-0.9.10-incubating guacamole

rm guacamole-server-0.9.10-incubating.tar.gz

cd guacamole

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mkdir -p /var/lib/guacamole && mv /opt/guacamole-0.9.10-incubating.war /var/lib/guacamole/guacamole.war

ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so

ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole 

mv /opt/guacamole-auth-jdbc-0.9.10-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating.tar.gz

mv /opt/mysql-connector-java-5.1.38.tar.gz ~/guacamole/mysql-connector-java-5.1.38.tar.gz

mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}

tar -zxf guacamole-auth-jdbc-0.9.10-incubating.tar.gz

tar -zxf mysql-connector-java-5.1.38.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.10-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.10-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv mysql-connector-java-5.1.38/mysql-connector-java-5.1.38-bin.jar /usr/share/tomcat/.guacamole/lib/

mv guacamole-auth-ldap-0.9.10-incubating/guacamole-auth-ldap-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
  • Enter mysql CLI and setup DB and user

mysql

create database guacdb;

create user 'guacuser'@'localhost' identified by 'guacDBpass';
MODIFY THESE CREDENTIALS TO SOMETHING SECURE

grant all privileges on guacdb.* to 'guacuser'@'localhost';

flush privileges;

quit

If you need the mysql password:
cat /var/lib/nethserver/secrets/mysql

    cd ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating/mysql/schema/

    cat ./*.sql | mysql -u root -p guacdb
  • Edit guacamole main configuration file

mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties

# MySQL properties
    mysql-hostname: localhost
    mysql-port: 3306
    mysql-database: guacdb
    mysql-username: guacuser #Taken from mysql user set earlier
    mysql-password: guacDBpass #Taken from mysql pwd set earlier
	 
# LDAP properties
	ldap-hostname: localhost
	ldap-encryption-method: starttls
	ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
	ldap-search-bind-password: xxxxxxxxxxxxxxxx #Taken from /var/lib/nethserver/secrets/ldapservice
	ldap-user-base-dn: dc=directory,dc=nh

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/

cd ~ && rm -rf guacamole*

Setup the reverse proxy

vi /etc/httpd/conf.d/guacamole_reverse.conf

    SSLProxyEngine on
	# ProxyPass: guacamole
	# Description:
	ProxyPass       /path/to/guacamole/      http://FQDN:8080/guacamole/ flushpackets=on
	ProxyPassReverse        /path/to/guacamole/      http://FQDN:8080/guacamole/

        <Location />
		SSLRequireSSL
	</Location>

	ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	<Location /websocket-tunnel>

	</Location>

#Start services

systemctl enable tomcat.service
chkconfig guacd on
systemctl restart tomcat.service
systemctl start guacd.service
systemctl restart httpd.service

#Use it
Guacamole should be now accessible from the path you chose in the reverse proxy conf file on https (httpd) or FQDN:8080 over http (tomcat)

To use its new copy-paste feature, this extension is needed on chrome, it works like a charm !

9 Likes

Great Job!

Continuing from above
#First Login

To access guacamole login to it from your newly created https://FQDN/path/to/guacamole reverse proxy, using the default credentials guacadmin guacadmin

Once inside you can go to Settings and change password to something very very long (don’t fatfinger it!)

Setup a new user named “admin” and give it any password, be sure to check “login disabled” as we’ll be using LDAP users to login

Now logout and, if it doesn’t exist yet, create an “admin” account from NS GUI, give it a password, and use these credentials to login to guacamole, this will be the guacamole administrator account

Once logged in with admin user, you’ll notice you can now see and edit already existing LDAP users, when doing so, there’s new images on top that tell which backend is being used for the user

Guacamole uses all authentication backends it has to authenticate users, if the same account name exists in 2 different backends, any of their passwords can be used to login, which is why we edit users you intend to grant access to guacamole and check the “login disabled” option, so that all passwords are handled only by NS

Assign existing connections to users

Now users can login with their NS credentials and use the connections assigned to them

6 Likes

Waiting for guacamole rpm packages, that post looks like a great howto man! :clap:
Could you please move it on our wiki?

In the evening i plan on posting an howto to install (or update to) 0.9.11, released a few days ago, it comes with a couple more features, then i’ll move it to the wiki

Also testing the docker install method, but i’m currently having problems allowing the container to speak with the local LDAP and MySQL daemons, NS GUI doesn’t handle the docker0 bridge created by docker and i’ll have to work on iptables rules i guess…

(about that, is there a nethserver-docker or perhaps a nethserver-kubernetes in your plans? :slight_smile: )

Just a question, nethserver-packages are built starting from existing rpms and then adding custom code to it right? Is it possible to create a rpm starting from sources somehow?

Sorry for the silly question, but i’m not really into rpm making :slight_smile:

1 Like

@stephdl is very good at that :slight_smile:

Not yet but we are going to play with docker sooner or later.



Well to be honest I retrieve the most of time a rpm in epel, maintaining directly a rpm could be a full time job. However we could take a look and find a way to build it. For guacamole I believe we can start from a spec file of an older rpm and looks what it appends, otherwise we could start with a spec file of another rpm based distro.

Perhaps this will help
https://build.opensuse.org/package/view_file/home:ecsos:server/guacamole-server/guacamole-server.spec

0.9.11

Provides TFA with DUO and improvement to double authentication backend

If installed from source i think the 0.9.10 howto should work just fine by just replacing files with the ones found here, and editing the guacamole.properties

To update from 0.9.10 the following worked

cd /opt/

tar -xzf guacamole-server-0.9.11-incubating.tar.gz

mv guacamole-server-0.9.11-incubating guacamole-0.9.11

rm guacamole-server-0.9.11-incubating.tar.gz

cd guacamole-0.9.11

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mv /opt/guacamole-0.9.11-incubating.war /var/lib/guacamole/guacamole.war

rm -rf /var/lib/tomcat/webapps/guacamole.war && ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so && ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole

mv /opt/guacamole-auth-jdbc-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.11-incubating.tar.gz

tar -zxf guacamole-auth-jdbc-0.9.11-incubating.tar.gz

mv /opt/guacamole-auth-ldap-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-ldap-0.9.11-incubating.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.11-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.11-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv guacamole-auth-ldap-0.9.11-incubating/guacamole-auth-ldap-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar

cat guacamole-auth-jdbc-0.9.11-incubating/mysql/schema/upgrade/upgrade-pre-0.9.11.sql | mysql -u root -p guacdb

#Allow logins from existing users only
This will prevent users who do not exist in MySQL to even attempt to login, instead of giving them an empty guacamole screen with no connections, the “login disabled” option in users settings is no longer needed

vi /etc/guacamole/guacamole.properties

Add > mysql-user-required: true

#Cleanup

cd ~ && rm -rf guacamole*

systemctl daemon-reload

systemctl restart guacd.service

systemctl restart tomcat.service

The DUO TFA seems really neat, it’s really interesting as it allows for a stronger security when exposing internal machines to the internet, users have to authenticate to guacamole with both LDAP and TFA, if either fail, access is denied

If the user has not set it up yet, there’s a wizard with QR codes to set it up

It also supports U2F devices, has anyone tried these USB and can offer advice on which to try?

4 Likes

Hi Team,

I’ve seen mention of a great app called Guacamole. The official blurb from their website says this:

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

I’ve installed Guacamole a few years back to try it out and I thought it was pretty amazing. But I’m sure others are looking at it and wondering how it can be useful and why would anyone want to add it. I thought I would share my plans for our office’s use case for it.

We are an assaylab business so we use special machines at each workstation to help us do our daily work. The machines have a physical/hardware component and run using software. Rarely does the hardware fail so if there are issues it’s usually with the setup in the software.

All of our workstations that run the software for these machines are locked down from Internet access at our gateway. They are almost like dumb terminals in that they are always running and logged in with a generic account so an operator can go to any workstation and use it. This is a really quick overview of our operation so I’m skipping a lot of detail but you get the idea of our setup now.

All our workstations have VNC Server installed on them so I can remote into the office via VPN to assist. There is no access to any of these workstations from outside unless I’ve granted VPN access.

Our vendors do provide remote support via Internet but with all workstations locked down they cannot automatically remote in and assist when an operator requires help. I have provided VPN access to our vendor (and only allowed them access to the workstations they need to get too) but then our vendor needs to have a list of IP’s for each workstation. It works but is kind of messy.

This is where I see Guacamole can help. Serving up a webpage and creating a user account for our vendor I can display the workstations they can have access too. They can use VNC to look over our operators shoulder and assist. I still prefer to use VPN access as I don’t want to leave the Guacamole page opened for hackers to try and break in. But for a short period of time I suppose I could expose the Guacamole webpage to the Net for the duration of the vendor that provides support. It’s always best to be careful so VPN is very important to me and our office. :slight_smile:

If others have a use case for Guacamole they would like to share I’d like to hear it!

Thanks.

I have just added your post here, I think that it’s the right place.
Thanks for your thoughts I think that Guacamole is a GREAT package, sadly it’s not so straightforward installing it as rpm, as you can say above.

1 Like

Thanks @alefattorini for putting my post in the right location.

I’m still getting my head around requirements with regards to adding new modules. Is there a document or would someone be able to list of me what is needed from an App before it would be considered for nethserver? It sounds like an .rpm file is a must. Anything else you look for?

Thank you.

I’ve found .rpm for guacamole-common for Fedora. Would this be of any help for someone with the knowledge to build off of for Guacamole on NS?

you have a guacamole rpm in epel for centos7, it could be a good startting point also.

I was trying to find a solution for people to access RDP sessions with zero config and no installation files.
first I solved it by implementing sslexplorer until I found out about Guacamole.

I would like to share my experience about that,
Compiling it over Centos or Ubuntu is not an issue at all, no need for Docker as there are some posts advising to do so.
The trick about guacamole is that, best to be integrated into Nextcloud rather than being exposed to the public internet.

What I did: downloaded and compiled the guacamole from source.
Then inside nextcloud I pointed to it with external site link (however I used its private ip address)
So now the guacamole and its ports 8080 and 443 are not exposed to the outside world hence no one can access it directly.

The only problem I have is solving the issue of the certificate being pointing to a private IP.

1 Like

How does external site work when accessing nextcloud from outside using its FQDN? Does it just embed guacamole’s page inside nextcloud (meaning that page has to be directly reachable from the user, i.e. you still have to open tomcat port 8080 to the outside world to make it work) or does it work like a reverse proxy?

Also check this out, next release will add an http authentication header module which could be helpful when giving a user access to its desktops when that user has already been authenticated by a different service (nextcloud, authenticated reverse proxy, etc…)