On Wed, Jun 10, 2020 at 10:12 AM Victor Norman <[email protected]> wrote:
> Our system that uses guacamole 0.9.9 is a "showcase" for our Computer > Science department's student projects. Our introductory CS course ends with > students doing graphical games using python and tkinter. We like to publish > them somewhere where anyone can connect and run the games, without logging > in. > > You can try it at http://agora.cs.calvin.edu:8080/agora/#/. I recommend > going to the Spring 2018 page or Fall 2017 page. > > In our existing system, when a user connects and chooses a game to play, a > new virtual X display is created and the guacamole session runs a script to > run the game, displaying it in the X virtual display. That display is > communicated via guac to HTML5 to the user's browser. > > There is no "general purpose" login available, and the only thing a person > can do is run the games that are available, so there is no real need for > security. > > Three possible options come to mind: - Use the Header authentication module, which accepts authentication via an HTTP header, and have an upstream server (Nginx, Apache httpd) pass through a header authentication. You can configure the upstream server to do authentication however you like, including allowing just anyone to connect. The other benefit would be that you can do some tracking of connections and "authentication" (even if it's anonymous), and potentially keep people from abusing the system. - Write your own authentication module that authenticates based on whatever criteria you want, even if that's a button or Recaptcha or something along those lines that someone has to click to get in. - Use JDBC with a common login and just post a note prior to entering the page that has the username/password. The benefit, here, would be that you can rotate it periodically and just change the header/note so that people have to go to the page and figure out what the current value is. We deprecated NoAuth because it literally completely bypassed the authentication mechanisms within Guacamole Client, which is bad. While I certainly understand your desire for easy access to the system and not maintaining accounts for every single user that wants to interact with the page, you should probably be doing some sort of authentication, there, even if it is more or less transparent to the end-user. -Nick
