Open taghack opened 2 weeks ago
That flag is documented here, it is an Xvnc argument https://github.com/kasmtech/KasmVNC/blob/a89f71d98d97d8551119f8a48de3699cdd8c86e8/unix/xserver/hw/vnc/Xvnc.man#L435
You are correct, it is not supported by our yaml config. vncserver
interprets the yaml config and calls Xvnc with all the appropriate arguments. While vncserver and the associated yaml config do not support that configuration, vncserver will pass any additional agruments you specify to Xvnc.
https://www.kasmweb.com/kasmvnc/docs/latest/man/vncserver.html
I have not tried this, but something like..
vncserver -disableBasicAuth
So I should just put
vncserver -disableBasicAuth
at the end of the yaml config file ? Thank you!
It did not work. In fact it made the yaml file invalid and i had to redeploy the entire docker container. Could you please tell me where and how to add the line:
vncserver -disableBasicAuth
Thank you!
I can tell you how to pass the auth to Kasm with Nginx Proxy Manager so you're not in the auth loop and maybe you can figure out the Apache equivalent.
I was in the Auth Loop before I found an answer on NPM Github that someone posted.
The part that I added in Custom locations is
location / {
# Authorization
auth_basic "Authorization required";
proxy_set_header Authorization $http_authorization;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
# Proxy!
include conf.d/include/proxy.conf;
}
The full nginx conf file is
# ------------------------------------------------------------
# kasm.irondesign.dev
# ------------------------------------------------------------
server {
set $forward_scheme https;
set $server "10.7.0.57";
set $port 443;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kasm.irondesign.dev;
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-44/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-44/privkey.pem;
# Block Exploits
include conf.d/include/block-exploits.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
# Force SSL
include conf.d/include/force-ssl.conf;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
access_log /data/logs/proxy-host-34_access.log proxy;
error_log /data/logs/proxy-host-34_error.log warn;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://10.7.0.57:443;
# Block Exploits
include conf.d/include/block-exploits.conf;
# Force SSL
include conf.d/include/force-ssl.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
location / {
# Authorization
auth_basic "Authorization required";
proxy_set_header Authorization $http_authorization;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
# Proxy!
include conf.d/include/proxy.conf;
}
}
# Custom
include /data/nginx/custom/server_proxy[.]conf;
}
This can now be added in iFrames in Ogranizr2 and Dashy.
This also works with Kasm Workspaces if you want to add a local server
in infrastructure
and then add it as a workspace
so you can RDP into a local Windows machine.
I also tried to disable Basic Auth at first but couldn't do it.
I don't see websockets mentined in the nginx proxy file but those are enabled in GUI
These Webtop containers come with Auth Disabled but I didn't try to see know how they do it. I just pass a Docker variable but what that does inside idk. https://docs.linuxserver.io/images/docker-webtop/#application-setup
That flag is documented here, it is an Xvnc argument
You are correct, it is not supported by our yaml config.
vncserver
interprets the yaml config and calls Xvnc with all the appropriate arguments. While vncserver and the associated yaml config do not support that configuration, vncserver will pass any additional agruments you specify to Xvnc.https://www.kasmweb.com/kasmvnc/docs/latest/man/vncserver.html
I have not tried this, but something like..
vncserver -disableBasicAuth
But would it makes more sense to leave Auth locally to KasmVNC because of Linux users and KasmVNC users? I thought of that because of the reply you gave me for auto starting KasmVNC. Offloading Basic Auth to a http proxy server would only give you one username? idk if that last one is correct.
So I should just put
vncserver -disableBasicAuth
at the end of the yaml config file ? Thank you!
You put the flag behind the command when you run the vncserver from the console by running vncserver -disableBasicAuth
instead of just vncserver
where it sets up the user and password. I didn't try this either. I'll try it now and see what happens.
There is a startup script that runs the vncserver command though and the default docker user has no write access to that script I can't edit it :(
Are you running Docker? Or you install KasmVNC as a package like .deb in a VM?
Isn't it your own Docker? If not can you send what you use?
It is deployed in a docker container. I own the container, but i do not have root access in the container itself. I don't know the root password. This is the docker image i am using: https://hub.docker.com/r/kasmweb/chrome
Yeah, I don't know how to pass that argument to docker run. It's probably impossible since they dont' support it. You would have to buid your own container from theirs and then edit the startup script.
I found this somewhere, this is the argument passed https://github.com/bpmct/coder-templates/blob/main/better-vnc/build/vnc_startup.sh#L65
https://github.com/linuxserver/docker-webtop this one runs without auth but you can't really install Chrome on it normally. You have to run google-chrome --no-sandbox
so that's not a solution but they probably have the script somewhere to show how they do it.
The command works fine on my Laptop when I run vncserver -disableBasicAuth
but yeah idk how to do it in docker.
Interesting. Thanks a lot for finding the call location in the startup script. I think I might have to find a way to build my own docker image. Thanks for all the help!
I have a few KasmVNC Chrome containers running on a server all mapped to different ports 6901, 6902 etc. They all work fine but i need to have them embedded in an iframe. The Baisic Authentication has become an issue, since most browsers no longer allow passing login credentials in iframe URL. I tried configuring an Apache2 server as a proxy to inject the Authentication header, which does work, but then the container can not find websocky and initiate a web socket connection.
Anyway, I have decided to disable the basic authentication. I have read around and have not found a solution except "pass -disableBasicAuth to the vnc server". How do i do that ? The setting apparently isn't exposed in the kasm yaml config file. Please, just tell me how to disable the Basic Auth and make it persistent across server reboots.
Any help is much appreciated!