ra6r2015 Chapter 8. Disabiing atnetication
Chapter 8. Disabling authentication
Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If
you would rather just type in your server's URL and gain access to your computer, you can do this with the
so-called "NoAuth” extension.
The NoAuth extension still performs authentication, but does not validate any credentials, giving anyone that
Visits your server access to the same set of connections dictated by an XML configuration file. It is an
authentication implementation in its own right, and thus doesn't truly “disable” authentication. It simply grants
anyone access without requesting a username or password
Important
The security implications of this should be obvious - anyone with access to your Guacamole
instance will have access to your remote desktops. If you wish to effectively disable
authentication using NoAuth, do so with caution
Downloading the NoAuth extension
The NoAuth authentication extension is available separately from the main guacanole.war. The link for this
and all other officially-supported and compatible extensions for a particular version of Guacamole are
provided on the release notes for that version. You can find the release notes for current versions of
Guacamole here: http/auac-dev.org/releases/.
The NoAuth authentication extension is packaged as a . tar.gz file containing
guacamole-auth-noauth-0.9.7. jar
‘The NoAuth extension itself, which must be placed in GUACAMOLE_HOME/extensions.
doc/example/
Contains an example configuration file: noauth-config. xml.
Installing the NoAuth extension
Guacamole extensions are self-contained. jar_ files which are located within the
GUACAMOLE_HOME/extensions directory. To install the NoAuth authentication extension, you must:
1. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist
2. Remove any existing authentication extensions from GUACAMOLE_HOME/extensions. Guacamole does
not currently support using multiple authentication extensions at the same time
3. Copy guacamole-auth-noauth-@.9.7. jar within GUACAMOLE_HOME/extensions.
4, Configure Guacamole to use NoAuth, as described below.
Important
You will need to restart Guacamole by restarting your servlet container in order to complete the
installation. Doing this will disconnect all active users, so be sure that it is safe to do so prior to
attempting installation. If you do not configure the NoAuth extension properly, Guacamole will
Fipiiguac-devergldoclgug/noai rim! 10raez015 Caper 8 Disabling auenticaton
not start up again until the configuration is fixed.
Configuring Guacamole for NoAuth
An additional property must be added to guacamole. properties such that Guacamole will load the NoAuth
extension and locate its configuration file:
# NoAuth properties
noauth-config: /etc/guacamole/noauth-config. xml
The noauth-config property defines the location of the XML configuration file required by NoAuth. This file
describes the connections available to any user of your Guacamole instance and can be placed anywhere so
long as its location is given in guacamole. properties. On Linux servers, /etc/guacamole is a good
location for Guacamole configuration files, including the configuration file used by NoAuth.
The NoAuth configuration file
Although the NoAuth extension does not check credentials, it still requires a configuration file describing
which connections are available and the protocols to use. This configuration is an XML file, typically called
noauth-config. xml
‘An example configuration file is provided in the doc/example/ directory of the .tar.gz file downloadable
from the Guacamole site. The format is fairly straightforward, and consists only of a list of connections
(configurations) and parameters:
The file consists of a single tag that contains any number of tags, each representing a
distinct connection available for use.
Each tag has a corresponding name and protocol. The nane attribute defines a unique identifier
for the connection and tells Guacamole what text should be displayed when identifying the connection, The
protocol attribute defines the standard remote desktop protocol to use, such as "vnc", "rdp", or "ssh"
These protocols must be specified as lowercase due to the naming convention used by the libraries providing
protocol support. If the wrong case is used, Guacamole will be unable to load the corresponding protocol
support and the connection wil fai.
‘The tags are placed within tags, describing a parameter name/value pair. The parameters
available, their names, and their allowed values are protocol-specific and documented in Chapter 5,
Configuring Guacamole.
‘The example above creates a new connection called "myconfig" that uses ROP to connect to the server at
“tdp-server" on port 3389.
Completing the installation
Guacamole will only reread guacamole.properties and load newly-installed extensions during startup, so
your serviet container will need to be restarted before the disabled authentication will take effect, Restart your
servlet container and check whether your changes have been successful
Fipiiguac-devergldelgug/noaih rim!rapr2015 Chapter 8. Disabiing atnetication
Important
You only need to restart your serviet container. You do not need to restart guacd.
guacd is completely independent of the web application and does not deal with
guacamole.properties or the authentication system in any way. Since you are already
restarting the servlet container, restarting guacd as well technically won't hurt anything, but
doing so is completely pointless.
If Guacamole does not come back online after restarting your servlet container, or you are prompted for a
username and password, check the logs. Problems in the configuration of NoAuth extension will prevent
Guacamole from starting up, and any such errors will be recorded in the logs of your serviet container.
Fipiiguac-devergldelgug/noaih rim!