How to reset passwords in Apache Guacamole

2025-08-05

This article is about how to reset a lost password for the adminstrative user. It was tested on guacamole version 1.5.5 but is probably applicable for later versions. The following query replaces the current password for the guacadmin user with the default password in postgres:

UPDATE guacamole_user SET
	password_hash = decode('CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960', 'hex'),
	password_salt = decode('FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264', 'hex')
	WHERE user_id = (SELECT entity_id FROM guacamole_entity WHERE name = 'guacadmin');

The case for MySQL/MariaDB is similar:

UPDATE guacamole_user SET
	password_hash = x'CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960',
	password_salt = x'FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264'
	WHERE user_id = (SELECT entity_id FROM guacamole_entity WHERE name = 'guacadmin');

When using docker you can use the folowing template (with a postgress backend), fill out all relevent details:

docker exec $POSTGRES_CONTAINER psql $GUACAMOLE_DATABASE $DBUSER -c "$SQL_QUERY"

Password hashing

By default the passwords are hashed using a SHA256 hash by appending the salt's (uppercase) hexstring to the password. This is currently done by the guacamole client in extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/security/SHA256PasswordEncryptionService.java.

The default username and password for a guacamole installation are guacadmin and guacadmin respectively and the default salt can be obtained by checking the associated database schemas used for initialization:

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/002-create-admin-user.sql
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/002-create-admin-user.sql

Or in the case of docker with postgres:

docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql

The current default salt hex encoded is FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264. Hashing the password with this salt gives the exprected result:

printf 'guacadminFE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264' | sha256sum

There is no need to use the default salt. This part only documents the reasoning and makes the process verifiable.

Database Layout

The password hash along with it's salt are saved in the guacamole_user table in the passwod_hash and password_salt columns. Usually the guacadmin user has entity_id = 1. This can be checked with the following SQL statement:

SELECT entity_id FROM guacamole_entity WHERE name = 'guacadmin';

Putting this all together and you get the SQL query from the beginning of this article. This is not specific to the guacadmin user and can be applied to any other user. It is generally not necessary as the admin user can reset all passwords anyway.