Please help me disable the Basic Auth

[taghack]

I have a few KasmVNC Chrome containers running on a server all mapped to different ports 6901, 6902 etc. They all work fine but i need to have them embedded in an iframe. The Baisic Authentication has become an issue, since most browsers no longer allow passing login credentials in iframe URL. I tried configuring an Apache2 server as a proxy to inject the Authentication header, which does work, but then the container can not find websocky and initiate a web socket connection.

Anyway, I have decided to disable the basic authentication. I have read around and have not found a solution except "pass -disableBasicAuth to the vnc server". How do i do that ? The setting apparently isn't exposed in the kasm yaml config file. Please, just tell me how to disable the Basic Auth and make it persistent across server reboots.

Any help is much appreciated!

[mmcclaskey]

That flag is documented here, it is an Xvnc argument

KasmVNC/unix/xserver/hw/vnc/Xvnc.man

Line 435 in a89f71d

Disable basic auth for websocket connections. Default enabled, details read from

You are correct, it is not supported by our yaml config. vncserver interprets the yaml config and calls Xvnc with all the appropriate arguments. While vncserver and the associated yaml config do not support that configuration, vncserver will pass any additional agruments you specify to Xvnc.

https://www.kasmweb.com/kasmvnc/docs/latest/man/vncserver.html

I have not tried this, but something like..

vncserver -disableBasicAuth

[taghack]

So I should just put

vncserver -disableBasicAuth

at the end of the yaml config file ? Thank you!

[taghack]

It did not work. In fact it made the yaml file invalid and i had to redeploy the entire docker container. Could you please tell me where and how to add the line:

vncserver -disableBasicAuth

Thank you!

[GogoFC]

I can tell you how to pass the auth to Kasm with Nginx Proxy Manager so you're not in the auth loop and maybe you can figure out the Apache equivalent.

I was in the Auth Loop before I found an answer on NPM Github that someone posted.

The part that I added in Custom locations is

location / {
    # Authorization
    auth_basic            "Authorization required";
    proxy_set_header Authorization $http_authorization;
    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    

    # Proxy!
    include conf.d/include/proxy.conf;
  }

The full nginx conf file is

# ------------------------------------------------------------
# kasm.irondesign.dev
# ------------------------------------------------------------


server {
  set $forward_scheme https;
  set $server         "10.7.0.57";
  set $port           443;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;


  server_name kasm.irondesign.dev;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-44/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-44/privkey.pem;






  # Block Exploits
  include conf.d/include/block-exploits.conf;



  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;





    # Force SSL
    include conf.d/include/force-ssl.conf;




proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /data/logs/proxy-host-34_access.log proxy;
  error_log /data/logs/proxy-host-34_error.log warn;



  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;
    proxy_pass       https://10.7.0.57:443;

    

    
    
  # Block Exploits
  include conf.d/include/block-exploits.conf;

    
    # Force SSL
    include conf.d/include/force-ssl.conf;


    

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;





    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    


    location / {
    # Authorization
    auth_basic            "Authorization required";
    proxy_set_header Authorization $http_authorization;
    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  }





  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

This can now be added in iFrames in Ogranizr2 and Dashy.

This also works with Kasm Workspaces if you want to add a local server in infrastructure and then add it as a workspace so you can RDP into a local Windows machine.

I also tried to disable Basic Auth at first but couldn't do it.

I don't see websockets mentined in the nginx proxy file but those are enabled in GUI

These Webtop containers come with Auth Disabled but I didn't try to see know how they do it. I just pass a Docker variable but what that does inside idk.
https://docs.linuxserver.io/images/docker-webtop/#application-setup

[GogoFC]

That flag is documented here, it is an Xvnc argument

KasmVNC/unix/xserver/hw/vnc/Xvnc.man

Line 435 in a89f71d

Disable basic auth for websocket connections. Default enabled, details read from

You are correct, it is not supported by our yaml config. vncserver interprets the yaml config and calls Xvnc with all the appropriate arguments. While vncserver and the associated yaml config do not support that configuration, vncserver will pass any additional agruments you specify to Xvnc.

https://www.kasmweb.com/kasmvnc/docs/latest/man/vncserver.html

I have not tried this, but something like..

vncserver -disableBasicAuth

But would it makes more sense to leave Auth locally to KasmVNC because of Linux users and KasmVNC users? I thought of that because of the reply you gave me for auto starting KasmVNC. Offloading Basic Auth to a http proxy server would only give you one username? idk if that last one is correct.

[GogoFC]

So I should just put

vncserver -disableBasicAuth

at the end of the yaml config file ? Thank you!

You put the flag behind the command when you run the vncserver from the console by running vncserver -disableBasicAuth instead of just vncserver where it sets up the user and password. I didn't try this either. I'll try it now and see what happens.

[taghack]

There is a startup script that runs the vncserver command though and the default docker user has no write access to that script I can't edit it :(

[GogoFC]

Are you running Docker? Or you install KasmVNC as a package like .deb in a VM?

Isn't it your own Docker? If not can you send what you use?

[taghack]

It is deployed in a docker container. I own the container, but i do not have root access in the container itself. I don't know the root password. This is the docker image i am using: https://hub.docker.com/r/kasmweb/chrome

[GogoFC]

Yeah, I don't know how to pass that argument to docker run. It's probably impossible since they dont' support it. You would have to buid your own container from theirs and then edit the startup script.

I found this somewhere, this is the argument passed
https://github.com/bpmct/coder-templates/blob/main/better-vnc/build/vnc_startup.sh#L65

https://github.com/linuxserver/docker-webtop this one runs without auth but you can't really install Chrome on it normally. You have to run google-chrome --no-sandbox so that's not a solution but they probably have the script somewhere to show how they do it.

The command works fine on my Laptop when I run vncserver -disableBasicAuth but yeah idk how to do it in docker.

[taghack]

Interesting. Thanks a lot for finding the call location in the startup script. I think I might have to find a way to build my own docker image. Thanks for all the help!