Fedora 28 Guacamole base install.



  • So, I finally got a base installation working. Took way to long, and I never would've made it this far without @xylems notes from https://mangolassi.it/topic/17493/errors-building-guacamole-server-on-fedora-28/39

    This will hopefully be the first of a number of guides on Guacamole, so will be the base I'll be working from in the future. As of right now I'm planning to also do guides on authentication via LDAP and databases.

    This base install isn't what I'd call secure for a number of reasons.

    1. Passwords are contained in plain text within user-mapping.xml. Authenticating with and md5 hashed password did not work for me, which is probably a good thing if you're familiar with md5. Problem is that I haven't been able to find any documentation on the current hashing method to use in user-mapping.xml.
    2. selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.
    3. ssh is using username/password authentication on the back end. It's recommended to use key-based authentication as normal, but that's beyond this basic walk through.
    4. No HTTPS. I'll add a note about putting this behind the Nginx proxy guide that @JaredBusch wrote: https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

    This guide is written assuming you are at a root prompt. While it's possible to login to root directly in Fedora, I recommend using sudo su - or just appending sudo before every command. Makes forensics easier if someone needs to go check who was doing what after the fact.

    Let's start out by installing and configuring some system level tools, fail2ban, and automatic updates.

    dnf -y install nano glances wget dnf-automatic fail2ban
    #Configure dnf-automatic to automatically install updates instead of just downloading them
    sed -i 's/no/yes/' /etc/dnf/automatic.conf
    systemctl start dnf-automotic.timer    
    systemctl start fail2ban    
    systemctl enable dnf-automatic.timer    
    systemctl enable fail2ban
    

    Disable selinux (sad admin)

    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    setenforce 0
    

    Install the guacd deamon and dependencies

    dnf -y install guacd tomcat tomcat-webapps libguac-client-rdp libguac-client-ssh libguac-client-vnc terminus-fonts terminus-fonts-console dejavu-sans-mono-fonts
    

    Open the firewall port

    firewall-cmd --permanent --add-port=8080/tcp
    firewall-cmd --reload
    

    Create the guacd configuration directory

    mkdir /etc/guacamole
    

    This config file is just an example. Be sure to customize it to your environment.

    cat > /etc/guacamole/user-mapping.xml <<EOF  
    <user-mapping>  
    <!-- Per-user authentication nd config information -->  
        <authorize username="guacamole"   
            password="guacpas">  
            <connection name="Drupal">  
                    <protocol>ssh</protocol>  
                    <param name="hostname">10.10.10.5</param>  
                    <param name="port">22</param>  
                    <param name="color-scheme">green-black</param>  
            </connection>  
        </authorize>  
    </user-mapping>  
    EOF
    

    Download the tomcat web server file into the default location

    cd /var/lib/tomcat/webapps
    wget https://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.14.war
    mv guacamole-0.9.14.war guacamole.war
    

    Start and enable the system services

    systemctl start guacd
    systemctl start tomcat
    systemctl enable guacd
    systemctl enable tomcat
    

    Now at yourip:8080/guacamole you should see:

    0_1532902188459_4c51a488-a4ad-40cd-b508-6f6c7d8ad03b-image.png

    Login with the user information from user-mapping.xml and you'll get:

    0_1532902242476_6fa58dae-9d2f-40c7-bb34-7c65c4d0e766-image.png

    Then login with your user credentials for the remote system, and you should be running on the remote host:

    0_1532902367357_268d7f61-9ed6-4b09-bc09-efe8e0513f6f-image.png



  • That note about using Guacamole behind a reverse proxy. You need to add proxy_buffering off within the location / section of the conf file. Guacamole steams the console/vnc/rdp session live, and trying to buffer the stream will cause problems.

    Example from my home lab:

     server {
             client_max_body_size 40M;
             listen 443 ssl;
             server_name guacamole.travisdh1.net;
             ssl     on;
             ssl_certificate /etc/ssl/travisdh1.net.pem;
             ssl_certificate_key /etc/ssl/travisdh1.net.key;
             ssl_stapling_verify on;
             ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
             ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
             ssl_prefer_server_ciphers       on;
             ssl_session_cache shared:SSL:10m;
             add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
     
             location / {
                     proxy_set_header X-Real-IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     proxy_set_header Connection $http_connection;
                     proxy_http_version 1.1;
                     proxy_pass http://10.10.10.2:8080;
                     proxy_redirect off;
                     access_log off;
                     proxy_buffering off;
             }
     }
     
     server {
             client_max_body_size 40M;
             listen 80;
             server_name guacamole.travisdh1.net;
             rewrite ^ https://guacamole.travisdh1.net$request_uri? permanent;
     }


  • @travisdh1 said in Fedora 28 Guacamole base install.:

    selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.

    Does it not work in permissive mode instead? At least with permissive, we can still check the logs for denials.



  • This application seems like more trouble than it's worth.



  • @black3dynamite said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    selinux is disabled. I've done some basic troubleshooting, but not been able to correct selinux to allow everything to run correctly yet. The only denials I saw in the audit.log were for ssh, so I suspect that selinux would need settings configured for every protocol you're going to use. For the time being, it's just disabled.

    Does it not work in permissive mode instead? At least with permissive, we can still check the logs for denials.

    I tried it in permissive for just that reason. It wasn't working, obviously. It looked like it was going to be a specific setting for every protocol, so I can't debug it properly yet 😞



  • @stacksofplates said in Fedora 28 Guacamole base install.:

    This application seems like more trouble than it's worth.

    I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.



  • @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    This application seems like more trouble than it's worth.

    I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.

    I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.



  • @stacksofplates said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    This application seems like more trouble than it's worth.

    I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.

    I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.

    Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works 😛

    The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.



  • @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    This application seems like more trouble than it's worth.

    I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.

    I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.

    Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works 😛

    The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.

    Yeah that makes more sense. However after looking at all of the work it takes to deploy this, I'd rather deploy a full SD-WAN solution. And just let people connect normally. But I can see the attraction if it works properly.



  • @stacksofplates said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    @stacksofplates said in Fedora 28 Guacamole base install.:

    This application seems like more trouble than it's worth.

    I actually agree with you. Which is part of the reason I started down the road of doing a whole series of tutorials for it. I had found no good guides online, and it's the only open-source tool I know of that enables all of it's functionality.

    I just don't see the value to it. I'd rather type the extra couple characters and make a tunnel for RDP/SSH/VNC. Or just script it.

    Hrm, thanks for the reminder. I need to add viewing the session recordings to my list of tutorials to do. Welcome to how my brain works 😛

    The big value add is for end users more than IT I think. It's a really easy way to get a secured connection to many different systems remotely once it's configured correctly.

    Yeah that makes more sense. However after looking at all of the work it takes to deploy this, I'd rather deploy a full SD-WAN solution. And just let people connect normally. But I can see the attraction if it works properly.

    Getting it working properly should be easy once someone does it once, and gets it ******** publicly documents. Also, you're welcome in advance 😉



  • I found the font a bit wonky, and also found the fix for it here. I'll add them in my original post here in a minute.

    dnf -y install terminus-fonts terminus-fonts-console dejavu-sans-mono-fonts
    

    Also, yes, I started working on the LDAP integration today.



  • This is my first time looking at Guacamole.

    I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.

    Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?

    Should I just use TeamViewer instead?



  • @scottalanmiller said in What Are You Doing Right Now:

    @wirestyle22 said in What Are You Doing Right Now:

    As expected, Guacamole doesn't like Deepin but this was my first test.

    Guacamole should be installed on a server. Deepin is a desktop client, not really designed for server use. As a client, it should work fine.

    This answers my above question.

    TeamViewer it is.


  • Service Provider

    @obsolesce said in Fedora 28 Guacamole base install.:

    This is my first time looking at Guacamole.

    I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.

    Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?

    Should I just use TeamViewer instead?

    There is an in between. Guacamole is for building a remove access gateway infrastructure. You can get products that just do an HTML desktop of the local machine. That sounds more like what you'd want.


  • Service Provider

    @obsolesce said in Fedora 28 Guacamole base install.:

    @scottalanmiller said in What Are You Doing Right Now:

    @wirestyle22 said in What Are You Doing Right Now:

    As expected, Guacamole doesn't like Deepin but this was my first test.

    Guacamole should be installed on a server. Deepin is a desktop client, not really designed for server use. As a client, it should work fine.

    This answers my above question.

    TeamViewer it is.

    Check out NoVNC.



  • @obsolesce said in Fedora 28 Guacamole base install.:

    This is my first time looking at Guacamole.

    I just want a simple way of remote desktoping to a Linux PC, from another Windows or Linux PC.

    Is Guacamole Base/Server/Client (what's the difference?) the type of thing I would install on a simple Linux PC for that purpose?

    Should I just use TeamViewer instead?

    NoMachine is another option.



  • @travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?



  • @wirestyle22 said in Fedora 28 Guacamole base install.:

    @travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?

    @travisdh1 Yeah, I want to know too 🙂



  • @wirestyle22 said in Fedora 28 Guacamole base install.:

    @travisdh1 From what I've heard, Guacamole on Fedora is pretty unstable. How has this been running for you?

    The base install here using the user-mappings.xml for everything has been working great. I only have it pointing to two different things on the back end. It was still up and running when I checked it just now tho.

    The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.

    dnf-automatic is running. I'll try rebooting it tonight and see if it comes back up correctly.


  • Service Provider

    @travisdh1 said in Fedora 28 Guacamole base install.:

    The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.

    That's the base problem with Fedora installs, I think. Not that it isn't stable, but that it's not documented properly.



  • @scottalanmiller said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.

    That's the base problem with Fedora installs, I think. Not that it isn't stable, but that it's not documented properly.

    I'd be very surprised if it acted any differently on any platform. One of the big reasons I decided to do a guide on it is how it just breaks when using many of the supposed options. Not that I really expect great documentation for anything before v1 is out, but at least take down known broken stuff!



  • @travisdh1 said in Fedora 28 Guacamole base install.:

    @scottalanmiller said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.

    That's the base problem with Fedora installs, I think. Not that it isn't stable, but that it's not documented properly.

    I'd be very surprised if it acted any differently on any platform. One of the big reasons I decided to do a guide on it is how it just breaks when using many of the supposed options. Not that I really expect great documentation for anything before v1 is out, but at least take down known broken stuff!

    Besides incomplete or bad documentation, what is specifically unstable about it on Fedora or other distros?



  • @black3dynamite said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    @scottalanmiller said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    The thing with Guacamole right now is that the documentation is just..... crap. It says different options are available in the user-mappings.xml which always break things.

    That's the base problem with Fedora installs, I think. Not that it isn't stable, but that it's not documented properly.

    I'd be very surprised if it acted any differently on any platform. One of the big reasons I decided to do a guide on it is how it just breaks when using many of the supposed options. Not that I really expect great documentation for anything before v1 is out, but at least take down known broken stuff!

    Besides incomplete or bad documentation, what is specifically unstable about it on Fedora or other distros?

    For me so far, nothing.



  • Huh, it is unstable. That really sucks.

    0_1536887568515_447e26e3-d88c-4dc4-8aba-33a280c6426c-image.png



  • @travisdh1 said in Fedora 28 Guacamole base install.:

    Huh, it is unstable. That really sucks.

    0_1536887568515_447e26e3-d88c-4dc4-8aba-33a280c6426c-image.png

    With SELinux set to permissive or disabled?



  • @black3dynamite said in Fedora 28 Guacamole base install.:

    @travisdh1 said in Fedora 28 Guacamole base install.:

    Huh, it is unstable. That really sucks.

    0_1536887568515_447e26e3-d88c-4dc4-8aba-33a280c6426c-image.png

    With SELinux set to permissive or disabled?

    Disabled 😞



  • @travisdh1 said in Fedora 28 Guacamole base install.:

    Disable selinux (sad admin)

    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    setenforce 0
    

    0_1536946078867_6e8aace2-71d9-459f-9b54-56996f933a15-image.png



  • I see no value in Guacamole, personally. No Machine is a much better option.


  • Service Provider

    @irj said in Fedora 28 Guacamole base install.:

    I see no value in Guacamole, personally. No Machine is a much better option.

    Doesn't deal with the web interface. NX requires a client. Guacamole is as much a front end to NX as it is to any other protocol.



  • @scottalanmiller said in Fedora 28 Guacamole base install.:

    @irj said in Fedora 28 Guacamole base install.:

    I see no value in Guacamole, personally. No Machine is a much better option.

    Doesn't deal with the web interface. NX requires a client. Guacamole is as much a front end to NX as it is to any other protocol.

    I wonder how often you really need people with no technical expertise to connect remotely to a linux machine?