Updated 12/04/17; reflected availability of 0.9.12-incubating version of guacamole.
Updated 12/02/18; reflected 0.9.13-incubating version of guacamole.
*** This guide assumes you have guacamole up and running, see here if you do not! ***
First, you’ll need to register for a Free Duo account, go to: https://duo.com/
Create a new “Auth API” application: Dashboard > Applications > Protect an Application > Web SDK
- Scroll down, under Settings and change the name to “Guacamole,” or something of your choice.
- Copy out the following information (you’ll need this for the guacamole.properties file):
- Integration Key
- Secret Key
- API hostname
Finally, generate a duo “application key” on your docker host – note you do not have to input this anywhere on your Duo configuration.
dd if=/dev/random count=1 | sha256sum
Now from your docker host we will create a skeleton extensions directory and guacamole.properties file that will be passed through to the guacamole docker image. Don’t worry, we’ll only add the Duo-specific config/ extension files here, the docker images will sort the rest out for us!
We will create this skeleton home directory under: /var/docker/config/guacamole/
# From Docker HOST execute these commands cd ~/ mkdir -p /var/docker/config/guacamole/extensions/ wget http://apache.mirrors.tds.net/incubator/guacamole/0.9.13-incubating/binary/guacamole-auth-duo-0.9.13-incubating.tar.gz tar zxvf guacamole-auth-duo-0.9.13-incubating.tar.gz mv guacamole-auth-duo-0.9.13-incubating/guacamole-auth-duo-0.9.13-incubating.jar /var/docker/config/guacamole/extensions/ cd /var/docker/config/guacamole vi guacamole.properties ### Duo MFA Config duo-api-hostname: <as per duo config> duo-integration-key: <as per duo config> duo-secret-key: <as per duo config> duo-application-key: <generate using command above> # Now save/ close the text file
Finally, we’ll now drop and recreate the guacamole docker image with Duo support – note this will stop access / any running sessions. Note how we pass through the config folder and then define it as a path within the container which GUACAMOLE_HOME then uses.
Be sure to verify syntax of this command – i.e.
- Database name
- Database user account/ password
- guacd and mysql linked docker container names
- Volume paths that are passed-through to the container
docker stop guacamole docker rm guacamole docker run --name guacamole --link guacd:guacd --link guac-mysql:mysql \ -e MYSQL_DATABASE='guacamole' \ -e MYSQL_USER='guacamole' \ -v /var/docker/config/guacamole:/config \ -e GUACAMOLE_HOME=/config \ -e MYSQL_PASSWORD='<your password>' \ -d -p 8080:8080 guacamole/guacamole
The guacamole container should now be started and you should be able to login/ assign MFA to your guacamole account.
Be sure to reset your browser cache as otherwise you will be presented with an error when logging on.
3 replies on “Enabling Duo Dual / Multi-Factor Authentication (MFA) for Guacamole Docker”
[…] Want to get multi-factor authentication? Check out my post here for Docker support/ deployment of Duo MFA for Guacamole. […]
Thank you so much for this post! Made setting 2FA on my docker guac deployment a piece of cake!
[…] To get guacamole deployed using docker containers, on Ubuntu 16.04, see my other post here: https://www.cb-net.co.uk/linux/enabling-duo-dual-multi-factor-authentication-mfa-for-guacamole-docke… […]