Chapter 6. Disabling authentication

Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If you would rather just type in your server's URL and gain access to your computer, you can do this with the "noauth" extension.

guacamole-auth-noauth removes all authentication, giving anyone that visits your server access to the same set of connections dictated by an XML configuration file. It is an authentication implementation in its own right, and thus doesn't truly "disable" authentication per se. Instead, it grants anyone access without requiring a username or password.

The security implications of this should be obvious - anyone with access to your Guacamole instance will have access to your remote desktops.

Installing the "noauth" extension

The "noauth" authentication module is not included in the main Guacamole bundle nor is it enabled by default. You must use the download link provided in the downloads section of the main Guacamole site.

The downloaded .tar.gz file will contain several directories:

lib/

Contains all .jar files required for the "noauth" authentication module to work, including the module itself.

example/

Contains an example configuration file: noauth-config.xml.

The contents of lib/ must be copied into the classpath of Guacamole, which is the directory specified by the lib-directory property in guacamole.properties. If this property is not specified, simply add it. On Linux servers, /var/lib/guacamole/classpath is a good choice, but it can be whatever you like.

The "noauth" extension is very simple and does not require any external libraries to function. The contents of the lib/ directory should be simply the extension itself. After copying this file in place, check that the contents match the listing shown here:

$ ls /var/lib/guacamole/classpath
guacamole-auth-noauth-0.8.0.jar
$

If there are other .jar files present beyond the "noauth" authentication module itself (guacamole-auth-noauth-0.8.0.jar), it should still work. You would only have problems if two different versions of "noauth" were present.

Configuring Guacamole

A few properties must be added to guacamole.properties such that Guacamole will load the "noauth" extension and locate its configuration file:

# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.noauth.NoAuthenticationProvider

# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml

The auth-provider property above is a standard Guacamole property and tells Guacamole which authentication provider to use when authenticating requests.

The noauth-config property defines where the XML configuration file (documented below) is located. This file describes the connections available to any user of your Guacamole instance and can be placed anywhere so long as its location is given in guacamole.properties. On Linux servers, /etc/guacamole is a good location for Guacamole configuration files, including the configuration file used by "noauth".

Now just restart Tomcat (or whatever servlet container you are using) and authentication will be effectively disabled.

Adding connections

Although the "noauth" extension does not check credentials, it still requires a configuration file describing which connections are available and the protocols to use. This configuration is an XML file, typically called noauth-config.xml.

An example noauth-config.xml file is provided in the example/ directory of the .tar.gz file downloadable from the Guacamole site. The format is fairly straightforward, and it consists only of a list of connections (configurations) and parameters:

<configs>
    <config name="myconfig" protocol="rdp">
        <param name="hostname" value="rdp-server" />
        <param name="port" value="3389" />
    </config>
</configs>

The file consists of a single <configs> tag that contains any number of <config> tags, each representing a distinct connection available for use.

Each <config> tag has a corresponding name and protocol. The name attribute defines a unique identifier for the connection and tells Guacamole what text should be displayed when identifying the connection. The protocol attribute defines the standard remote desktop protocol to use, such as VNC, RDP, or SSH. These protocols must be specified as lowercase due to the naming convention used by the libraries providing protocol support. If the wrong case is used, Guacamole will be unable to load the corresponding protocol support and the connection will fail.

The <param> tags are placed within <config> tags, describing a parameter name/value pair. The parameters available, their names, and their allowed values are protocol-specific and documented in Chapter 3, Configuring Guacamole.

The example above creates a new connection called "myconfig" that uses RDP to connect to the server at rdp-server on port 3389.