How to reset a forgotten or lost Guacamole user password in a Postgres Database

Posted bycluelessatcodingPosted inRamblings, Tech SupportTags:, , , , , , ,

This week I found myself booting up an old environment which used Guacamole to present some resources. Whilst I had server credentials , I did not have any of the Guacamole user credentials so I looked in to how I could reset the accounts. My environment uses Postgres.

After a bit of messing about I came up with the following process. Which basically updates the table with a non hashed password. You should always change your password in guacamole immediately after logging in with this process.

First log on to the server and generate a SHA256 hash of your “temporary” password, replace <NewPassword> accordingly:

echo -n <NewPassword> | sha256sum

Having made note of the SHA256 hash , connect to the Guacamole Postgresql database:

psql -h 127.0.0.1 -d guacamole_db -U guacamole_user -W

When prompted you will need to enter the password of the guacamole_user account.

Next step is to find the entity_id of the account we wish to reset, this is done by querying the guacamole_entity table, replace <username> with the name of the account you are resetting the password of:

SELECT entity_id FROM guacamole_entity WHERE name='<username>';

For example if you wanted to find the entity_id of guacadmin the command would be:

SELECT entity_id FROM guacamole_entity WHERE name='guacadmin';

We can then reset the password. This is done by setting the salt to null and updating the record with the non-salted password hash. Replace <SHA256HASH> with the hash generated in the first step and replace <entity_id> with the entity_id you just obtained:

UPDATE guacamole_user
SET
    password_salt = NULL,
    password_hash = '\x<SHA256HASH>'
WHERE
    entity_id = '<entity_id>';

When that is done, you should be able to log in to guacamole with new password.

As mentioned at the beginning, there is one final but very important step, once you have logged in with the account you should immediately change your password via guacamole, this will ensure the table is updated with a SALTED password.

Useful Link: https://guacamole.apache.org/doc/gug/jdbc-auth.html#modifying-data-manually

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.