Apache Guacamole 0.9.11-incubating
Apache Guacamole is split into two subprojects: "guacamole-client", the HTML5 web application which serves the Guacamole client to users, and "guacamole-server", the remote desktop proxy which the web application communicates with. The source code for each of these may be downloaded below.
|guacamole-client-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
|guacamole-server-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
If you do not wish to build Apache Guacamole entirely from source, pre-built versions of the web application (.war) and all extensions are provided here in binary form for convenience. Please note that guacamole-server must still be built and installed from source.
|guacamole-0.9.11-incubating.war||[ MD5 ]||[ SHA ]||[ PGP ]|
|guacamole-auth-duo-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
|guacamole-auth-jdbc-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
|guacamole-auth-ldap-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
|guacamole-auth-noauth-0.9.11-incubating.tar.gz||[ MD5 ]||[ SHA ]||[ PGP ]|
The 0.9.11-incubating release features support for two-factor authentication, password policies (complexity rules, preventing password reuse, etc.), and the ability to use the Docker images with arbitrary Guacamole extensions, not just MySQL, PostgreSQL, and LDAP. If using both a database and LDAP, new settings allow you to restrict access to only those users which exist in the database, rather than allowing any LDAP user access.
This release contains changes which break compatibility with past releases. Please see the deprecation / compatibility notes section for more information.
Guacamole now provides support for two-factor authentication, and includes a new extension which integrates with Duo using their “Auth API”. Users who use the Duo authentication service can add Guacamole to their list of applications. Once configured, Guacamole will then require confirmation from Duo before allowing an otherwise successful authentication attempt to proceed.
With this first implementation of two-factor authentication completed, support for other two-factor authentication services is expected to follow.
- GUACAMOLE-136 - Add support for TFA - initially Duo
The database authentication extensions can now be configured to enforce password complexity rules, including requiring specific classes of characters, disallowing passwords containing the user’s username, and preventing previous passwords from being reused. Users can also now be required to change their password regularly, or prevented from changing their password too frequently.
- GUACAMOLE-36 - Add support for password policies
The Guacamole Docker image previously only supported the official MySQL,
PostgreSQL, and LDAP extensions, with configuration automatically generated
based on environment variables. No support for deploying other extensions was
provided. As of 0.9.11-incubating, arbitrary extensions and their configuration
files can be deployed through providing a template
The requirement that the Guacamole Docker image be linked to the guacd Docker
image has also been lifted. Though Guacamole still requires a connection to
guacd, that connection can now be described using the
GUACD_PORT environment variables.
- GUACAMOLE-99 - Do not require Docker link for guacd
- GUACAMOLE-100 - Support arbitrary extensions within Guacamole Docker image
For the common case where Guacamole’s LDAP support is used purely for authentication, with an MySQL or PostgreSQL database used to house connection data, it is now possible to configure the database authentication extensions to reject authentication attempts for users which are not defined in the database. For those whose LDAP directories contain many users that will never be granted access to Guacamole, these new settings mean that such users can be denied access immediately, rather than presenting them with an empty and useless Guacamole home screen.
In addition, if your LDAP directory was so extensive that it exceeded the
default query size limit of 1000 records, the query size limit can now be
manually increased within
- GUACAMOLE-70 - Add option to restrict access to users within database
- GUACAMOLE-79 - Add an option to allow the default LDAP result size limit (1000) to be overridden
Capacity regression from 0.9.10-incubating
The new screen sharing support added in 0.9.10-incubating lead to a regression
which could cause connections to fail when the maximum number of file
descriptors supported by
select() was exceeded. This effectively limited the
maximum number of connections a Guacamole server could support, regardless of
how powerful the server might otherwise be. This has been fixed, and Guacamole
has been refactored to use
poll() instead of
- GUACAMOLE-118 - Migrate from select() to poll()
Miscellaneous fixes / improvements
This latest release of Guacamole also addresses potential resource leaks in the use of SSL/TLS by guacd, segfaults in the built-in terminal emulator and VNC client, and adds a Norwegian translation for the Guacamole interface.
- GUACAMOLE-86 - Connection closed when printing large content in SSH
- GUACAMOLE-117 - File descriptor leak if SSL/TLS negotiation fails
- GUACAMOLE-130 - Merge contributed Norwegian translation
- GUACAMOLE-157 - Connecting to unavailable VNC endpoint causes SIGSEGV in SSH SSL lock free
Deprecation / Compatibility notes
As of 0.9.11-incubating, the following changes have been made which affect compatibility with past releases:
Database schema changes
The MySQL and PostgreSQL schemas have changed to facilitate support for
password policies. Users of the database authentication will need to run the
upgrade-pre-0.9.11.sql script specific to their chosen database.