How to debug quickconnect auth not working

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to debug quickconnect auth not working

Victor Norman
All,

I'm trying to set up a guacamole system with the quickconnect user "authentication". I think I've followed all the installation instructions correctly, but I still see the regular login/password user interface.

I haven't been able to find anything in the log files to tell me what I'm doing wrong.

Can someone make suggestions on how I should proceed to figure out what I've done wrong?

Prof. Victor Norman
Computer Science
Calvin College University
-----
"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint Exupéry


Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

vnick
On Wed, Jun 10, 2020 at 8:37 AM Victor Norman <[hidden email]> wrote:
All,

I'm trying to set up a guacamole system with the quickconnect user "authentication". I think I've followed all the installation instructions correctly, but I still see the regular login/password user interface.


The QuickConnect "authentication" extension does not disable or replace the requirement for a username/password logon - it is not that type of "authentication" extension.  Once you log in to Guacamole using whatever other methods you have configured (JDBC, LDAP, etc.) it places a connection bar on the Home Screen just above the normal connection tree that allows you to type a URI.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

Victor Norman
Ah ha! Thanks.

So, a bit more context: I'm upgrading my system from 0.9.9 where we were using auth-noauth. That seems to be gone now...  Any recommendations?

I saw in Chapter 5, that there is an option to put disable-auth: true into the guacamole.properties file, and I've done that, but that doesn't seem to have any effect...



From: Nick Couchman <[hidden email]>
Sent: Wednesday, June 10, 2020 9:36 AM
To: [hidden email] <[hidden email]>
Subject: Re: How to debug quickconnect auth not working
 
On Wed, Jun 10, 2020 at 8:37 AM Victor Norman <[hidden email]> wrote:
All,

I'm trying to set up a guacamole system with the quickconnect user "authentication". I think I've followed all the installation instructions correctly, but I still see the regular login/password user interface.


The QuickConnect "authentication" extension does not disable or replace the requirement for a username/password logon - it is not that type of "authentication" extension.  Once you log in to Guacamole using whatever other methods you have configured (JDBC, LDAP, etc.) it places a connection bar on the Home Screen just above the normal connection tree that allows you to type a URI.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

vnick
On Wed, Jun 10, 2020 at 9:41 AM Victor Norman <[hidden email]> wrote:
Ah ha! Thanks.

So, a bit more context: I'm upgrading my system from 0.9.9 where we were using auth-noauth. That seems to be gone now...  Any recommendations?


Use authentication :-).  We actually address this in the FAQ:


Perhaps you could explain a bit more about your environment and why you think disabling authentication is a requirement?  There are other options - SSO, Parameter Tokens, etc. - that might help in your specific use-case.
 
I saw in Chapter 5, that there is an option to put disable-auth: true into the guacamole.properties file, and I've done that, but that doesn't seem to have any effect...


The "disable-auth" option you mentioned is a connection parameter, and not a guacamole.properties option.  It is specifically for RDP connections, as there are situations in which you do not want the RDP connection itself to require authentication.  This is not an option to disable authentication for the entire Guacamole Client interface.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

Victor Norman
Our system that uses guacamole 0.9.9 is a "showcase" for our Computer Science department's student projects. Our introductory CS course ends with students doing graphical games using python and tkinter. We like to publish them somewhere where anyone can connect and run the games, without logging in.

You can try it at http://agora.cs.calvin.edu:8080/agora/#/.  I recommend going to the Spring 2018 page or Fall 2017 page.

In our existing system, when a user connects and chooses a game to play, a new virtual X display is created and the guacamole session runs a script to run the game, displaying it in the X virtual display. That display is communicated via guac to HTML5 to the user's browser.

There is no "general purpose" login available, and the only thing a person can do is run the games that are available, so there is no real need for security.



From: Nick Couchman <[hidden email]>
Sent: Wednesday, June 10, 2020 9:58 AM
To: [hidden email] <[hidden email]>
Subject: Re: How to debug quickconnect auth not working
 
On Wed, Jun 10, 2020 at 9:41 AM Victor Norman <[hidden email]> wrote:
Ah ha! Thanks.

So, a bit more context: I'm upgrading my system from 0.9.9 where we were using auth-noauth. That seems to be gone now...  Any recommendations?


Use authentication :-).  We actually address this in the FAQ:


Perhaps you could explain a bit more about your environment and why you think disabling authentication is a requirement?  There are other options - SSO, Parameter Tokens, etc. - that might help in your specific use-case.
 
I saw in Chapter 5, that there is an option to put disable-auth: true into the guacamole.properties file, and I've done that, but that doesn't seem to have any effect...


The "disable-auth" option you mentioned is a connection parameter, and not a guacamole.properties option.  It is specifically for RDP connections, as there are situations in which you do not want the RDP connection itself to require authentication.  This is not an option to disable authentication for the entire Guacamole Client interface.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

vnick
On Wed, Jun 10, 2020 at 10:12 AM Victor Norman <[hidden email]> wrote:
Our system that uses guacamole 0.9.9 is a "showcase" for our Computer Science department's student projects. Our introductory CS course ends with students doing graphical games using python and tkinter. We like to publish them somewhere where anyone can connect and run the games, without logging in.

You can try it at http://agora.cs.calvin.edu:8080/agora/#/.  I recommend going to the Spring 2018 page or Fall 2017 page.

In our existing system, when a user connects and chooses a game to play, a new virtual X display is created and the guacamole session runs a script to run the game, displaying it in the X virtual display. That display is communicated via guac to HTML5 to the user's browser.

There is no "general purpose" login available, and the only thing a person can do is run the games that are available, so there is no real need for security.


Three possible options come to mind:
- Use the Header authentication module, which accepts authentication via an HTTP header, and have an upstream server (Nginx, Apache httpd) pass through a header authentication.  You can configure the upstream server to do authentication however you like, including allowing just anyone to connect.  The other benefit would be that you can do some tracking of connections and "authentication" (even if it's anonymous), and potentially keep people from abusing the system.
- Write your own authentication module that authenticates based on whatever criteria you want, even if that's a button or Recaptcha or something along those lines that someone has to click to get in.
- Use JDBC with a common login and just post a note prior to entering the page that has the username/password.  The benefit, here, would be that you can rotate it periodically and just change the header/note so that people have to go to the page and figure out what the current value is.

We deprecated NoAuth because it literally completely bypassed the authentication mechanisms within Guacamole Client, which is bad.  While I certainly understand your desire for easy access to the system and not maintaining accounts for every single user that wants to interact with the page, you should probably be doing some sort of authentication, there, even if it is more or less transparent to the end-user.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: How to debug quickconnect auth not working

ivanmarcus
In reply to this post by Victor Norman

Although I was rather easily shot down by aliens (or was it submarines!) it's good to see your student's work, and some of the uses Guacamole is put to, thanks.


On 11/06/2020 2:12 a.m., Victor Norman wrote:

You can try it at http://agora.cs.calvin.edu:8080/agora/#/.� I recommend going to the Spring 2018 page or Fall 2017 page.