Table of Contents
Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If you would rather just type in your server's URL and gain access to your computer, you can do this with the so-called "NoAuth" extension.
The NoAuth extension still performs authentication, but does not validate any credentials, giving anyone that visits your server access to the same set of connections dictated by an XML configuration file. It is an authentication implementation in its own right, and thus doesn't truly "disable" authentication. It simply grants anyone access without requesting a username or password.
Important
The security implications of this should be obvious - anyone with access to your Guacamole instance will have access to your remote desktops. If you wish to effectively disable authentication using NoAuth, do so with caution.
The NoAuth authentication extension is
available separately from the main guacamole.war
. The link for this
and all other officially-supported and compatible extensions for a particular version of
Guacamole are provided on the release notes for that version. You can find the release
notes for current versions of Guacamole here: http://guac-dev.org/releases/.
The NoAuth authentication extension is
packaged as a .tar.gz
file containing:
guacamole-auth-noauth-0.9.7.jar
The NoAuth extension itself, which must be placed in
GUACAMOLE_HOME/extensions
.doc/example/
Contains an example configuration file:
noauth-config.xml
.
Guacamole extensions are self-contained .jar
files which are
located within the GUACAMOLE_HOME/extensions
directory. To install
the NoAuth authentication extension, you must:
Create the
GUACAMOLE_HOME/extensions
directory, if it does not already exist.Remove any existing authentication extensions from
GUACAMOLE_HOME/extensions
. Guacamole does not currently support using multiple authentication extensions at the same time.Copy
guacamole-auth-noauth-0.9.7.jar
withinGUACAMOLE_HOME/extensions
.Configure Guacamole to use NoAuth, as described below.
Important
You will need to restart Guacamole by restarting your servlet container in order to complete the installation. Doing this will disconnect all active users, so be sure that it is safe to do so prior to attempting installation. If you do not configure the NoAuth extension properly, Guacamole will not start up again until the configuration is fixed.
An additional property must be added to guacamole.properties
such that Guacamole will load the NoAuth extension and locate its configuration
file:
# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml
The noauth-config property defines the location of the XML
configuration file required by NoAuth. This file describes the connections available
to any user of your Guacamole instance and can be placed anywhere so long as its
location is given in guacamole.properties
. On Linux servers,
/etc/guacamole
is a good location for Guacamole
configuration files, including the configuration file used by NoAuth.
Although the NoAuth extension does not check credentials, it still requires a
configuration file describing which connections are available and the protocols
to use. This configuration is an XML file, typically called
noauth-config.xml
.
An example configuration file is provided in the
doc/example/
directory of the
.tar.gz
file downloadable from the Guacamole site. The
format is fairly straightforward, and consists only of a list of connections
(configurations) and parameters:
<configs> <config name="myconfig" protocol="rdp"> <param name="hostname" value="rdp-server" /> <param name="port" value="3389" /> </config> </configs>
The file consists of a single <configs>
tag that contains
any number of <config>
tags, each representing a distinct
connection available for use.
Each <config>
tag has a corresponding name
and protocol
. The name
attribute defines a unique
identifier for the connection and tells Guacamole what text should be
displayed when identifying the connection. The protocol
attribute defines the standard remote desktop protocol to use, such as
"vnc
", "rdp
", or
"ssh
". These protocols must be specified as
lowercase due to the naming convention used by the libraries providing
protocol support. If the wrong case is used, Guacamole will be unable to
load the corresponding protocol support and the connection will fail.
The <param>
tags are placed within
<config>
tags, describing a parameter name/value pair.
The parameters available, their names, and their allowed values are
protocol-specific and documented in Chapter 5, Configuring Guacamole.
The example above creates a new connection called "myconfig" that uses RDP to connect to the server at "rdp-server" on port 3389.
Guacamole will only reread guacamole.properties
and load
newly-installed extensions during startup, so your servlet container will need to be
restarted before the disabled authentication will take effect. Restart your servlet
container and check whether your changes have been successful.
Important
You only need to restart your servlet container. You do not need to restart guacd.
guacd is completely independent of the web application
and does not deal with guacamole.properties
or the
authentication system in any way. Since you are already restarting the
servlet container, restarting guacd as well technically
won't hurt anything, but doing so is completely pointless.
If Guacamole does not come back online after restarting your servlet container, or you are prompted for a username and password, check the logs. Problems in the configuration of NoAuth extension will prevent Guacamole from starting up, and any such errors will be recorded in the logs of your servlet container.