Skip to content

Configuring Guacamole

Introduction

Where we left off, we had a fairly barebones web interface that’s not really doing a whole lot.

Let’s change that.

Setting the admin password

Well first off, guacadmin/guacadmin isn’t a very secure login. Change it to something more appropriate under preferences.

Creating a remote connection

At the core of guacamole, we need to be able to connect directly to servers to administrate them. Well, why not the docker host guacamole is running on? Head to Settings→Connections→New Connection

Info

Most distributions disable login via ssh for root (with a password). Either create a dedicated remote user (recommended) or allow root with ssh passwords (not recommended). You can alternatively hard-code a private key into the connection settings, but that also carries some security risk.

  • In the new connection, set the name of the connection, the protocol, and the IP of the docker host. There are many more knobs to tweak, but for now we’ll leave most options at their defaults.

  • Test the connection out!

Cool, we’re monitoring the guacamole container in guacamole via ssh. A bit of inception vibes, but still cool!

RDP Connection

Alright, let’s try this again with RDP. We have a handy dandy server 2022 box setup for this purpose.

Again there are a lot of settings we can pursue, but most can be left at default. At minimum I suggest enabling ClearType:

And with that done, let’s test!

Woohoo! One of the coolest features about Guacamole is also the ability to seamlessly switch between multiple servers. Heck, you can even tile them and work on multiple servers simultaneously:

Multi-factor Authentication

One of the big selling points for setting all this up is enabling multi-factor authentication for administrative access. Aside from being a mandatory requirement for many businesses, now that we’re in the browser it’s quite trivial.

The normal recommendation would be to set up SSO (see my keycloak guide here) and enable SSO. In fact, we will be doing that in the very next article. However, Guacamole also has a built in capability for multi-factor. Let’s demonstrate that now.

  • First we need to install a plugin. For 1.4.0 you can find the plugins here. The one we care about is the one for TOTP

  • Download/extract the TOTP plugin and place guacamole-auth-totp-1.4.0.jar in <your container volumes>/guacamole/container-data/extensions. Restart guacamole

  • Next time you log in, you should automatically be prompted to enroll a TOTP token (present in most authenticators, like microsoft authenticator or bitwarden) to enable MFA!

Moving On

There’s a lot of features within guacamole that we haven’t touched on, but the core functionality is now present and ready to use. However, for a business installation we probably aren’t going to be using local accounts at all. Let’s cover that next with Guacamole SSO Integration.