Chapter 8. Disabling authentication

Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If you would rather just type in your server's URL and gain access to your computer, you can do this with the so-called "NoAuth" extension.

The NoAuth extension still performs authentication, but does not validate any credentials, giving anyone that visits your server access to the same set of connections dictated by an XML configuration file. It is an authentication implementation in its own right, and thus doesn't truly "disable" authentication. It simply grants anyone access without requesting a username or password.

Important

The security implications of this should be obvious - anyone with access to your Guacamole instance will have access to your remote desktops. If you wish to effectively disable authentication using NoAuth, do so with caution.

Downloading the NoAuth extension

The NoAuth authentication extension is available separately from the main guacamole.war. The link for this and all other officially-supported and compatible extensions for a particular version of Guacamole are provided on the release notes for that version. You can find the release notes for current versions of Guacamole here: http://guac-dev.org/releases/.

The NoAuth authentication extension is packaged as a .tar.gz file containing:

guacamole-auth-noauth-0.9.7.jar

The NoAuth extension itself, which must be placed in GUACAMOLE_HOME/extensions.

doc/example/

Contains an example configuration file: noauth-config.xml.

Installing the NoAuth extension

Guacamole extensions are self-contained .jar files which are located within the GUACAMOLE_HOME/extensions directory. To install the NoAuth authentication extension, you must:

  1. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist.

  2. Remove any existing authentication extensions from GUACAMOLE_HOME/extensions. Guacamole does not currently support using multiple authentication extensions at the same time.

  3. Copy guacamole-auth-noauth-0.9.7.jar within GUACAMOLE_HOME/extensions.

  4. Configure Guacamole to use NoAuth, as described below.

Important

You will need to restart Guacamole by restarting your servlet container in order to complete the installation. Doing this will disconnect all active users, so be sure that it is safe to do so prior to attempting installation. If you do not configure the NoAuth extension properly, Guacamole will not start up again until the configuration is fixed.

Configuring Guacamole for NoAuth

An additional property must be added to guacamole.properties such that Guacamole will load the NoAuth extension and locate its configuration file:

# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml

The noauth-config property defines the location of the XML configuration file required by NoAuth. This file describes the connections available to any user of your Guacamole instance and can be placed anywhere so long as its location is given in guacamole.properties. On Linux servers, /etc/guacamole is a good location for Guacamole configuration files, including the configuration file used by NoAuth.

The NoAuth configuration file

Although the NoAuth extension does not check credentials, it still requires a configuration file describing which connections are available and the protocols to use. This configuration is an XML file, typically called noauth-config.xml.

An example configuration file is provided in the doc/example/ directory of the .tar.gz file downloadable from the Guacamole site. The format is fairly straightforward, and consists only of a list of connections (configurations) and parameters:

<configs>
    <config name="myconfig" protocol="rdp">
        <param name="hostname" value="rdp-server" />
        <param name="port" value="3389" />
    </config>
</configs>

The file consists of a single <configs> tag that contains any number of <config> tags, each representing a distinct connection available for use.

Each <config> tag has a corresponding name and protocol. The name attribute defines a unique identifier for the connection and tells Guacamole what text should be displayed when identifying the connection. The protocol attribute defines the standard remote desktop protocol to use, such as "vnc", "rdp", or "ssh". These protocols must be specified as lowercase due to the naming convention used by the libraries providing protocol support. If the wrong case is used, Guacamole will be unable to load the corresponding protocol support and the connection will fail.

The <param> tags are placed within <config> tags, describing a parameter name/value pair. The parameters available, their names, and their allowed values are protocol-specific and documented in Chapter 5, Configuring Guacamole.

The example above creates a new connection called "myconfig" that uses RDP to connect to the server at "rdp-server" on port 3389.

Completing the installation

Guacamole will only reread guacamole.properties and load newly-installed extensions during startup, so your servlet container will need to be restarted before the disabled authentication will take effect. Restart your servlet container and check whether your changes have been successful.

Important

You only need to restart your servlet container. You do not need to restart guacd.

guacd is completely independent of the web application and does not deal with guacamole.properties or the authentication system in any way. Since you are already restarting the servlet container, restarting guacd as well technically won't hurt anything, but doing so is completely pointless.

If Guacamole does not come back online after restarting your servlet container, or you are prompted for a username and password, check the logs. Problems in the configuration of NoAuth extension will prevent Guacamole from starting up, and any such errors will be recorded in the logs of your servlet container.