This project is an authentication plugin for Guacamole, an HTML5 based remote desktop (RDP) gateway that allows you to create URLs for connecting to your Guacamole server that pass user credential and RDP host variables, allowing you to pre-authenticate with Guacamole and connect directly to RDP sessions.
This is made possible using a pre-shared key and a checksum variable with an expiring timestamp passed in the URL to perform a passive handshake with your Guacamole server.
This plugin is ideally suited for environments that require dynamic access to RDP sessions and your RDP host and credential information is stored in your own database.
This plugin has been implemented in a training center to support 1,000+ dynamically reserved RDP sessions for a hands-on lab environment that is powered by a homegrown MySQL database that manages the reservations.
This project is a forked version of the guacamole-auth-hmac project by Stephen Sugden (github.com/grncdr/guacamole-auth-hmac).
This fork includes the packaged .jar extension for Guacamole 0.8.3 and a PHP function that you can integrate into your existing web application for dynamically generating URLs with connection paramater variables (from your own database) to directly connect to RDP sessions via Guacamole RDP Gateway.
These instructions assume that you are using Ubuntu 12.04, herein referred to as guac-server
.
- Official Documentation can be found in the Guacamole Manual
- Jefferson Martin wrote step-by-step instructions for installation on Ubuntu 12.04 LTS
- SFTP to
guac-server
and navigate to/var/lib/guacamole/classpath/
- Upload the
guacamole-auth-hmac-1.0-SNAPSHOT.jar
file to this directory. - Change the permissions of the
.jar
file to 777 (rwx-rwx-rwx).
- SSH to
guac-server
and navigate to/etc/guacamole
. - Edit the guacamole.properties file using
nano guacamole.properties
. You can usevi
if you prefer. - Comment out the
auth-provider
anduser-mapping
lines using a#
. - Add a three new lines with the following syntax (replace {your-key} with your secret passphrase)
auth-provider: com.stephensugden.guacamole.net.hmac.HmacAuthenticationProvider
secret-key: {your-key}
timestamp-age-limit: 600000
- Press
Ctrl+X
andY
to save your changes and exit. - Do not close your SSH session yet.
- Restart the tomcat6 and guacd services using the following commands:
service tomcat6 restart
service guacd restart
- If for any reason you receive error messages and the services did not restart, you can try:
/etc/init.d/tomcat6 restart
/etc/init.d/guacd restart
- Copy the
/www/
directory to a{path}
of your choosing inside of your local machine's Apache directory. - Open
guacamole_url_example.php
in your favorite text editor. - Follow the directions in the comments and change the variables to match an RDP client in your environment.
- Open your browser and navigate to
http://localhost/{path}/www/guacamole_url_example.php
- Copy the outputted URL string and paste it into a new browser tab.
- If all went well, you should be able to see the login screen for windows. If you received an error message, see the Troubleshooting section below.
- Unauthorized - Your security passphrase was not able to validate. Verify that you spelled it the same in the
generate_url_example.php
page as well as theguacamole.properties
file. This error can also occur if you did not configure your auth-provider properly in theguacamole.properties
file. - Unknown Error - There was an error with the Guacamole server, likely due to version incompatibility. If you upgraded from a previous Guacamole version or are using a version earlier than 0.8.3 you will need to perform a fresh installation.
- Server Error - There is a networking issue and the Guacamole server cannot reach your RDP client. Verify your network IP address and subnet configuration on both your Guacamole server and RDP client.
You can use the syntax example in generate_url_example.php to perform URL generation from your PHP application. A MySQL query example is included (commented out) for your convenience as well. Be sure to include the includes/guacamole.php
file which has the guacamole_url()
function.
For source for the guacamole-auth-hmac project and documentation for all of the paramaters, please see the original (non-forked) project readme at https://github.com/grncdr/guacamole-auth-hmac.
MIT License