Fedora 28 Guacamole base install.
-
So, I finally got a base installation working. Took way to long, and I never would've made it this far without @xylems notes from https://mangolassi.it/topic/17493/errors-building-guacamole-server-on-fedora-28/39
This will hopefully be the first of a number of guides on Guacamole, so will be the base I'll be working from in the future. As of right now I'm planning to also do guides on authentication via LDAP and databases.
This base install isn't what I'd call secure for a number of reasons.
- Passwords are contained in plain text within user-mapping.xml. Authenticating with and md5 hashed password did not work for me, which is probably a good thing if you're familiar with md5. Problem is that I haven't been able to find any documentation on the current hashing method to use in user-mapping.xml.
- selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.
- ssh is using username/password authentication on the back end. It's recommended to use key-based authentication as normal, but that's beyond this basic walk through.
- No HTTPS. I'll add a note about putting this behind the Nginx proxy guide that @JaredBusch wrote: https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27
This guide is written assuming you are at a root prompt. While it's possible to login to root directly in Fedora, I recommend using
sudo su -
or just appendingsudo
before every command. Makes forensics easier if someone needs to go check who was doing what after the fact.Let's start out by installing and configuring some system level tools, fail2ban, and automatic updates.
dnf -y install nano glances wget dnf-automatic fail2ban #Configure dnf-automatic to automatically install updates instead of just downloading them sed -i 's/no/yes/' /etc/dnf/automatic.conf systemctl start dnf-automotic.timer systemctl start fail2ban systemctl enable dnf-automatic.timer systemctl enable fail2ban
Disable selinux (sad admin)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0
Install the guacd deamon and dependencies
dnf -y install guacd tomcat tomcat-webapps libguac-client-rdp libguac-client-ssh libguac-client-vnc terminus-fonts terminus-fonts-console dejavu-sans-mono-fonts
Open the firewall port
firewall-cmd --permanent --add-port=8080/tcp firewall-cmd --reload
Create the guacd configuration directory
mkdir /etc/guacamole
This config file is just an example. Be sure to customize it to your environment.
cat > /etc/guacamole/user-mapping.xml <<EOF <user-mapping> <!-- Per-user authentication nd config information --> <authorize username="guacamole" password="guacpas"> <connection name="Drupal"> <protocol>ssh</protocol> <param name="hostname">10.10.10.5</param> <param name="port">22</param> <param name="color-scheme">green-black</param> </connection> </authorize> </user-mapping> EOF
Download the tomcat web server file into the default location
cd /var/lib/tomcat/webapps wget https://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.14.war mv guacamole-0.9.14.war guacamole.war
Start and enable the system services
systemctl start guacd systemctl start tomcat systemctl enable guacd systemctl enable tomcat
Now at yourip:8080/guacamole you should see:
Login with the user information from user-mapping.xml and you'll get:
Then login with your user credentials for the remote system, and you should be running on the remote host:
-
That note about using Guacamole behind a reverse proxy. You need to add
proxy_buffering off
within thelocation /
section of the conf file. Guacamole steams the console/vnc/rdp session live, and trying to buffer the stream will cause problems.Example from my home lab:
server { client_max_body_size 40M; listen 443 ssl; server_name guacamole.travisdh1.net; ssl on; ssl_certificate /etc/ssl/travisdh1.net.pem; ssl_certificate_key /etc/ssl/travisdh1.net.key; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header Connection $http_connection; proxy_http_version 1.1; proxy_pass http://10.10.10.2:8080; proxy_redirect off; access_log off; proxy_buffering off; } } server { client_max_body_size 40M; listen 80; server_name guacamole.travisdh1.net; rewrite ^ https://guacamole.travisdh1.net$request_uri? permanent; }
-
@travisdh1 said in Fedora 28 Guacamole base install.:
selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.
Does it not work in permissive mode instead? At least with permissive, we can still check the logs for denials.
-
This application seems like more trouble than it's worth.
-
@black3dynamite said in Fedora 28 Guacamole base install.:
@travisdh1 said in Fedora 28 Guacamole base install.:
selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.
Does it not work in permissive mode instead? At least with permissive, we can still check the logs for denials.
I tried it in permissive for just that reason. It wasn't working, obviously. It looked like it was going to be a specific setting for every protocol, so I can't debug it properly yet
-
@stacksofplates said in Fedora 28 Guacamole base install.:
This application seems like more trouble than it's worth.
I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.
-
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
This application seems like more trouble than it's worth.
I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.
I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.
-
@stacksofplates said in Fedora 28 Guacamole base install.:
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
This application seems like more trouble than it's worth.
I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.
I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.
Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works
The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.
-
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
This application seems like more trouble than it's worth.
I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.
I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.
Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works
The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.
Yeah that makes more sense. However after looking at all of the work it takes to deploy this, I'd rather deploy a full SD-WAN solution. And just let people connect normally. But I can see the attraction if it works properly.
-
@stacksofplates said in Fedora 28 Guacamole base install.:
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
@travisdh1 said in Fedora 28 Guacamole base install.:
@stacksofplates said in Fedora 28 Guacamole base install.:
This application seems like more trouble than it's worth.
I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.
I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.
Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works
The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.
Yeah that makes more sense. However after looking at all of the work it takes to deploy this, I'd rather deploy a full SD-WAN solution. And just let people connect normally. But I can see the attraction if it works properly.
Getting it working properly should be easy once someone does it once, and gets it ******** publicly documents. Also, you're welcome in advance
-
I found the font a bit wonky, and also found the fix for it here. I'll add them in my original post here in a minute.
dnf -y install terminus-fonts terminus-fonts-console dejavu-sans-mono-fonts
Also, yes, I started working on the LDAP integration today.
-
This is my first time looking at Guacamole.
I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.
Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?
Should I just use TeamViewer instead?
-
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
As expected, Guacamole doesn't like Deepin but this was my first test.
Guacamole should be installed on a server. Deepin is a desktop client, not really designed for server use. As a client, it should work fine.
This answers my above question.
TeamViewer it is.
-
@obsolesce said in Fedora 28 Guacamole base install.:
This is my first time looking at Guacamole.
I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.
Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?
Should I just use TeamViewer instead?
There is an in between. Guacamole is for building a remove access gateway infrastructure. You can get products that just do an HTML desktop of the local machine. That sounds more like what you'd want.
-
@obsolesce said in Fedora 28 Guacamole base install.:
@scottalanmiller said in What Are You Doing Right Now:
@wirestyle22 said in What Are You Doing Right Now:
As expected, Guacamole doesn't like Deepin but this was my first test.
Guacamole should be installed on a server. Deepin is a desktop client, not really designed for server use. As a client, it should work fine.
This answers my above question.
TeamViewer it is.
-
@obsolesce said in Fedora 28 Guacamole base install.:
This is my first time looking at Guacamole.
I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.
Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?
Should I just use TeamViewer instead?
NoMachine is another option.
-
@travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?
-
@wirestyle22 said in Fedora 28 Guacamole base install.:
@travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?
@travisdh1 Yeah, I want to know too
-
@wirestyle22 said in Fedora 28 Guacamole base install.:
@travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?
The base install here using the user-mappings.xml for everything has been working great. I only have it pointing to two different things on the back end. It was still up and running when I checked it just now tho.
The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.
dnf-automatic is running. I'll try rebooting it tonight and see if it comes back up correctly.
-
@travisdh1 said in Fedora 28 Guacamole base install.:
The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.
That's the base problem with Fedora installs, I think. Not that it isn't stable, but that it's not documented properly.