Apache Guacamole 0.9.11-incubating

Apache Guacamole is split into two subprojects: "guacamole-client", the HTML5 web application which serves the Guacamole client to users, and "guacamole-server", the remote desktop proxy which the web application communicates with. The source code for each of these may be downloaded below.

If you do not wish to build Apache Guacamole entirely from source, pre-built versions of the web application (.war) and all extensions are provided here in binary form for convenience. Please note that guacamole-server must still be built and installed from source.

Release notes

The 0.9.11-incubating release features support for two-factor authentication, password policies (complexity rules, preventing password reuse, etc.), and the ability to use the Docker images with arbitrary Guacamole extensions, not just MySQL, PostgreSQL, and LDAP. If using both a database and LDAP, new settings allow you to restrict access to only those users which exist in the database, rather than allowing any LDAP user access.

This release contains changes which break compatibility with past releases. Please see the deprecation / compatibility notes section for more information.

Two-factor authentication

Guacamole now provides support for two-factor authentication, and includes a new extension which integrates with Duo using their “Auth API”. Users who use the Duo authentication service can add Guacamole to their list of applications. Once configured, Guacamole will then require confirmation from Duo before allowing an otherwise successful authentication attempt to proceed.

With this first implementation of two-factor authentication completed, support for other two-factor authentication services is expected to follow.

Password policies

The database authentication extensions can now be configured to enforce password complexity rules, including requiring specific classes of characters, disallowing passwords containing the user’s username, and preventing previous passwords from being reused. Users can also now be required to change their password regularly, or prevented from changing their password too frequently.

Docker improvements

The Guacamole Docker image previously only supported the official MySQL, PostgreSQL, and LDAP extensions, with configuration automatically generated based on environment variables. No support for deploying other extensions was provided. As of 0.9.11-incubating, arbitrary extensions and their configuration files can be deployed through providing a template GUACAMOLE_HOME directory.

The requirement that the Guacamole Docker image be linked to the guacd Docker image has also been lifted. Though Guacamole still requires a connection to guacd, that connection can now be described using the GUACD_HOSTNAME and GUACD_PORT environment variables.

  • GUACAMOLE-99 - Do not require Docker link for guacd
  • GUACAMOLE-100 - Support arbitrary extensions within Guacamole Docker image

LDAP improvements

For the common case where Guacamole’s LDAP support is used purely for authentication, with an MySQL or PostgreSQL database used to house connection data, it is now possible to configure the database authentication extensions to reject authentication attempts for users which are not defined in the database. For those whose LDAP directories contain many users that will never be granted access to Guacamole, these new settings mean that such users can be denied access immediately, rather than presenting them with an empty and useless Guacamole home screen.

In addition, if your LDAP directory was so extensive that it exceeded the default query size limit of 1000 records, the query size limit can now be manually increased within guacamole.properties.

  • GUACAMOLE-70 - Add option to restrict access to users within database
  • GUACAMOLE-79 - Add an option to allow the default LDAP result size limit (1000) to be overridden

Capacity regression from 0.9.10-incubating

The new screen sharing support added in 0.9.10-incubating lead to a regression which could cause connections to fail when the maximum number of file descriptors supported by select() was exceeded. This effectively limited the maximum number of connections a Guacamole server could support, regardless of how powerful the server might otherwise be. This has been fixed, and Guacamole has been refactored to use poll() instead of select().

Miscellaneous fixes / improvements

This latest release of Guacamole also addresses potential resource leaks in the use of SSL/TLS by guacd, segfaults in the built-in terminal emulator and VNC client, and adds a Norwegian translation for the Guacamole interface.

  • GUACAMOLE-86 - Connection closed when printing large content in SSH
  • GUACAMOLE-117 - File descriptor leak if SSL/TLS negotiation fails
  • GUACAMOLE-130 - Merge contributed Norwegian translation
  • GUACAMOLE-157 - Connecting to unavailable VNC endpoint causes SIGSEGV in SSH SSL lock free

Deprecation / Compatibility notes

As of 0.9.11-incubating, the following changes have been made which affect compatibility with past releases:

Database schema changes

The MySQL and PostgreSQL schemas have changed to facilitate support for password policies. Users of the database authentication will need to run the upgrade-pre-0.9.11.sql script specific to their chosen database.