Guacamole Package?


(Davide) #61

Continuing from above
#First Login

To access guacamole login to it from your newly created https://FQDN/path/to/guacamole reverse proxy, using the default credentials guacadmin guacadmin

Once inside you can go to Settings and change password to something very very long (don’t fatfinger it!)

Setup a new user named “admin” and give it any password, be sure to check “login disabled” as we’ll be using LDAP users to login

Now logout and, if it doesn’t exist yet, create an “admin” account from NS GUI, give it a password, and use these credentials to login to guacamole, this will be the guacamole administrator account

Once logged in with admin user, you’ll notice you can now see and edit already existing LDAP users, when doing so, there’s new images on top that tell which backend is being used for the user

Guacamole uses all authentication backends it has to authenticate users, if the same account name exists in 2 different backends, any of their passwords can be used to login, which is why we edit users you intend to grant access to guacamole and check the “login disabled” option, so that all passwords are handled only by NS

Assign existing connections to users

Now users can login with their NS credentials and use the connections assigned to them


(Alessio Fattorini) #62

Waiting for guacamole rpm packages, that post looks like a great howto man! :clap:
Could you please move it on our wiki?


(Davide) #63

In the evening i plan on posting an howto to install (or update to) 0.9.11, released a few days ago, it comes with a couple more features, then i’ll move it to the wiki

Also testing the docker install method, but i’m currently having problems allowing the container to speak with the local LDAP and MySQL daemons, NS GUI doesn’t handle the docker0 bridge created by docker and i’ll have to work on iptables rules i guess…

(about that, is there a nethserver-docker or perhaps a nethserver-kubernetes in your plans? :slight_smile: )

Just a question, nethserver-packages are built starting from existing rpms and then adding custom code to it right? Is it possible to create a rpm starting from sources somehow?

Sorry for the silly question, but i’m not really into rpm making :slight_smile:


(Alessio Fattorini) #64

@stephdl is very good at that :slight_smile:

Not yet but we are going to play with docker sooner or later.




(Stéphane de Labrusse) #65

Well to be honest I retrieve the most of time a rpm in epel, maintaining directly a rpm could be a full time job. However we could take a look and find a way to build it. For guacamole I believe we can start from a spec file of an older rpm and looks what it appends, otherwise we could start with a spec file of another rpm based distro.


(Davide) #66

Perhaps this will help
https://build.opensuse.org/package/view_file/home:ecsos:server/guacamole-server/guacamole-server.spec

0.9.11

Provides TFA with DUO and improvement to double authentication backend

If installed from source i think the 0.9.10 howto should work just fine by just replacing files with the ones found here, and editing the guacamole.properties

To update from 0.9.10 the following worked

cd /opt/

tar -xzf guacamole-server-0.9.11-incubating.tar.gz

mv guacamole-server-0.9.11-incubating guacamole-0.9.11

rm guacamole-server-0.9.11-incubating.tar.gz

cd guacamole-0.9.11

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mv /opt/guacamole-0.9.11-incubating.war /var/lib/guacamole/guacamole.war

rm -rf /var/lib/tomcat/webapps/guacamole.war && ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so && ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole

mv /opt/guacamole-auth-jdbc-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.11-incubating.tar.gz

tar -zxf guacamole-auth-jdbc-0.9.11-incubating.tar.gz

mv /opt/guacamole-auth-ldap-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-ldap-0.9.11-incubating.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.11-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.11-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv guacamole-auth-ldap-0.9.11-incubating/guacamole-auth-ldap-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar

cat guacamole-auth-jdbc-0.9.11-incubating/mysql/schema/upgrade/upgrade-pre-0.9.11.sql | mysql -u root -p guacdb

#Allow logins from existing users only
This will prevent users who do not exist in MySQL to even attempt to login, instead of giving them an empty guacamole screen with no connections, the “login disabled” option in users settings is no longer needed

vi /etc/guacamole/guacamole.properties

Add > mysql-user-required: true

#Cleanup

cd ~ && rm -rf guacamole*

systemctl daemon-reload

systemctl restart guacd.service

systemctl restart tomcat.service

The DUO TFA seems really neat, it’s really interesting as it allows for a stronger security when exposing internal machines to the internet, users have to authenticate to guacamole with both LDAP and TFA, if either fail, access is denied

If the user has not set it up yet, there’s a wizard with QR codes to set it up

It also supports U2F devices, has anyone tried these USB and can offer advice on which to try?


(Charles) #67

Hi Team,

I’ve seen mention of a great app called Guacamole. The official blurb from their website says this:

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

I’ve installed Guacamole a few years back to try it out and I thought it was pretty amazing. But I’m sure others are looking at it and wondering how it can be useful and why would anyone want to add it. I thought I would share my plans for our office’s use case for it.

We are an assaylab business so we use special machines at each workstation to help us do our daily work. The machines have a physical/hardware component and run using software. Rarely does the hardware fail so if there are issues it’s usually with the setup in the software.

All of our workstations that run the software for these machines are locked down from Internet access at our gateway. They are almost like dumb terminals in that they are always running and logged in with a generic account so an operator can go to any workstation and use it. This is a really quick overview of our operation so I’m skipping a lot of detail but you get the idea of our setup now.

All our workstations have VNC Server installed on them so I can remote into the office via VPN to assist. There is no access to any of these workstations from outside unless I’ve granted VPN access.

Our vendors do provide remote support via Internet but with all workstations locked down they cannot automatically remote in and assist when an operator requires help. I have provided VPN access to our vendor (and only allowed them access to the workstations they need to get too) but then our vendor needs to have a list of IP’s for each workstation. It works but is kind of messy.

This is where I see Guacamole can help. Serving up a webpage and creating a user account for our vendor I can display the workstations they can have access too. They can use VNC to look over our operators shoulder and assist. I still prefer to use VPN access as I don’t want to leave the Guacamole page opened for hackers to try and break in. But for a short period of time I suppose I could expose the Guacamole webpage to the Net for the duration of the vendor that provides support. It’s always best to be careful so VPN is very important to me and our office. :slight_smile:

If others have a use case for Guacamole they would like to share I’d like to hear it!

Thanks.


(Alessio Fattorini) #68

I have just added your post here, I think that it’s the right place.
Thanks for your thoughts I think that Guacamole is a GREAT package, sadly it’s not so straightforward installing it as rpm, as you can say above.


(Charles) #69

Thanks @alefattorini for putting my post in the right location.

I’m still getting my head around requirements with regards to adding new modules. Is there a document or would someone be able to list of me what is needed from an App before it would be considered for nethserver? It sounds like an .rpm file is a must. Anything else you look for?

Thank you.


What is needed from an app to be considered?
(Dale Cliett) #70

I’ve found .rpm for guacamole-common for Fedora. Would this be of any help for someone with the knowledge to build off of for Guacamole on NS?


(Stéphane de Labrusse) #71

you have a guacamole rpm in epel for centos7, it could be a good startting point also.


(other names Tedd77/Giorgio09) #72

I was trying to find a solution for people to access RDP sessions with zero config and no installation files.
first I solved it by implementing sslexplorer until I found out about Guacamole.

I would like to share my experience about that,
Compiling it over Centos or Ubuntu is not an issue at all, no need for Docker as there are some posts advising to do so.
The trick about guacamole is that, best to be integrated into Nextcloud rather than being exposed to the public internet.

What I did: downloaded and compiled the guacamole from source.
Then inside nextcloud I pointed to it with external site link (however I used its private ip address)
So now the guacamole and its ports 8080 and 443 are not exposed to the outside world hence no one can access it directly.

The only problem I have is solving the issue of the certificate being pointing to a private IP.


(Davide) #73

How does external site work when accessing nextcloud from outside using its FQDN? Does it just embed guacamole’s page inside nextcloud (meaning that page has to be directly reachable from the user, i.e. you still have to open tomcat port 8080 to the outside world to make it work) or does it work like a reverse proxy?

Also check this out, next release will add an http authentication header module which could be helpful when giving a user access to its desktops when that user has already been authenticated by a different service (nextcloud, authenticated reverse proxy, etc…)


Guacamole Nextcloud Nethserver Module needed
(other names Tedd77/Giorgio09) #74

@edi

Guacamole is working fine however there is a need to port forward 443
There is a way to avoid exposing the guacamole server to the public net.

I am launching a community request to develop 2 simple apps for nextcloud
one for freepbx webrtc and one for the guacamole.
@alefattorini could you please create a thread for that request ?


(Charles) #75

I agree @ghost, guacamole really needs to be added to nethserver…where did your community request to develop your two apps go? I don’t see a continuation of this thread. I hope it’s not dead. :slight_smile:

@alefattorini, that bounty that you created…I’m guessing it’s still open? I’m not a developer so sadly I can’t create the package nethserver needs…but I’m more than willing to help with testing.

How close are we to having guacamole integrated into nethserver…or is it best to just use the excellent instructions from this thread (thanks @edi and @Adam!).


(other names Tedd77/Giorgio09) #76

@greavette I hear you well.
Unfortunately my request did not get the @alefattorini attention.
I am not a developer either, however I am willing to contribute!
Just upgraded to 0.9.12 ( credits to Chase Wright https://www.chasewright.com/guacamole-upgrade/ ) and looks even nicer very bright resolution with RDP. It will be a pity to let this nice jewellery out of Nethserver.
Back to you @alefattorini


(Charles) #77

I’ll pull an @alefattorini and say…

C’mon team…let’s get this implemented into Nethserver!

But seriously…how close are we to having this module installed? From what I read there is an older version of the rpm from epel available? what if Nethserver added that older version to the Software Center and provide command line instructions on how to update it. At least that will allow people to use/try out Guacamole until such time Nethserver team decides if they want to create/maintain a more recent rpm version? Just a suggestion…


(other names Tedd77/Giorgio09) #78

@greavette @alefattorini
2 Threads created


(Jochem Van Den Anker) #79

I’m using Guacamole for a while now and I like this package. On my secondary school(where I work as system/network administrator) I use it to get some “working from home” environment. The only thing the employees must have is an html5 browser.
Now I’m working on a project with Guacamole. I want to create a solution for people who’s pc is crached and have to get back to work really soon. They can boot with pxe into a Linux environment that starts Chromium with a connection to a Guacamole server. Because it all runs from memory and not from harddisk, you can push an image to that harddisk. (video: https://www.youtube.com/watch?v=pPbTfJk0GmQ)
So I think Guacamole is a very goor product and I think it’s really good to add it to nethserver.


(Rob Bosch) #80

Hi @FMFREAK,
Great to see you here in our forums. We can surely use your experience with Guacamole and make it an integrated module for NethServer.
Can you tell us a bit more about the technical details how you managed to get things done on your project?