Kasm: Disposable Secure Browser or Desktop
Kasm - Web Accessible Browser/Desktop Provides Security, Disposability, and Accessibility

What is Kasm?

According to its web site...

Kasm is a cheap, scalable method of providing a remote desktop, or a sandboxed web browser onto an infrastucture from a remote host without the need of a VPN or installing clients on a PC.

With the joy of 2020 lockdown still being a thing at the time this post written, and people have been working from home for most of the year. The long term security implications of this are not lost on IT staff..

Kasm is looking to provide a simple, secure remote access solution for small businesses.

Its not going to be for everyone, I thinks that's pretty evident, its not providing a Microsoft Windows Desktop experience and to be honest, does it need to any more? Its providing a desktop or a web browser window which is run from the businesses platform, with the added security that brings. With most of what we do being web based these days. For those situations this is a really interesting tool.

What resources do I need?

The server resources needed to run this scale with users, the more users and services you add, the more resource the systems Kasm runs on will need.

In this blog i'm going to install a single box install (it will scale horizonally as well) and the site suggest the following base resources

CPU - 2 cores
Memory - 4GB
Storage - 30GB (SSD)

I installed on pretty much this with 320Gb of disk space on Ubuntu 20.04

Install Kasm

The install is really simple, its a precreated script which sets up a docker environment and everything you need including secure creds to get the single box install running.

The Docs for Install can be found here.

Getting Started — Kasm 1.7.0 documentation

Resource Allocation

Administrators can configures Kasms to provision with with any amount of cpu or memory allocations by editing the in the Kasm Image Settings . However, even a host with more than enough system memory can run into stability issues without enabling a swap partition. For this reason, the Kasm installation requires a swap partition to be present.

Warning
Install Swap partition for best stability of end user Kasms. For additional details on docker resource constraints see the folowing link: Docker Resource Constraints

Creating A Swap Partition

For general information on swap partitions check out the Ubuntu Documentation

The following steps will create a 1 gigabyte (1g) Swap partition. It is recommended to allocate 1 gigabyte per concurrent Kasm you expect to run at any given time. Please adjust according to your needs.

sudo fallocate -l 1g /mnt/1GiB.swap 
sudo chmod 600 /mnt/1GiB.swap 
sudo mkswap /mnt/1GiB.swap 
sudo swapon /mnt/1GiB.swap

Verify swap file exists

cat /proc/swaps

To make the swap file available on boot

echo '/mnt/1GiB.swap swap swap defaults 0 0' | sudo tee -a /etc/fstab

Installation

cd /tmp 
tar -xf kasm_release*.tar.gz 
sudo bash kasm_release/install.sh

Note

If you would like to run the Web Application on a different port pass the -L flag when calling the installer. e.g sudo bash kasm_release/install.sh -L 8443

Install Complete

Once the installation is complete the following login details will be displayed, save these somewhere

Installation Complete


Kasm UI Login Credentials

------------------------------------
   username: admin@kasm.local
   password: MXbRtmBSxUN
------------------------------------
   username: user@kasm.local
   password: 9Zg2sHVWem1
------------------------------------

Kasm Database Credentials
------------------------------------
   username: kasmapp
   password: tqtS9F27HesI9c
------------------------------------

Kasm Redis Credentials
------------------------------------
  password: mk0r25vZzICroGTPyW52
------------------------------------

Default Login

  • Access the Web Application running on port 443 at https://<WEBAPP_SERVER>
  • Log into the Web Application as the Administrator using the default credentials produced during the install.
Note
By default, the Administrators group has a 2 hours daily usage limit defined. This can be changed or removed by altering the usage_limit  Group Setting on the Administrators group.
_images/login.png

Setup Kasm

Logging in as administrator takes you to a pretty standard Admin page with a dashboard view.

The first thing I did with my test install is to setup SAML Single Sign on with my Gsuite account

Google GSuite SAML Setup — Kasm 1.7.0 documentation

Which even with my KASM install not being public internet facing lets me login using my GSuite account.

This worked first time and shows how good the instructions are with the product.

Other Useful setup guides include

Persistent Data — Kasm 1.7.0 documentation
Deployment Zones — Kasm 1.7.0 documentation

Using Kasm

Once the users and groups are setup, out of the box Kasm comes with 5 Kasm Images (which are docker images)  which are split into

Desktops

  • Kasm Desktop - A light browser based desktop with Firefox installed
  • Kasm Desktop Delux - A fully stacked desktop with Microsoft Teams, Slack, Nextcloud (Built as a demo)

These Desktops will stay open even when you log off Kasm, however if the desktop is killed by the Administrator the data in the container by default is lost.  It is possible to map data out to a central server using the persistant data link above.

Both Desktops have a config menu on the left side

Applications

The Application examples like the Desktop are Docker based Images and create a sandboxed version of each of these browsers.

  • Kasm Firefox
  • Kasm Chrome
  • Kasm Tor Browsder

As an application the browser again opens within your preferred browser, so in this example I've got Firefox running on KDE Plasma. I opened the Kasm Chrome sandboxed browser and that opened in the browser window.

Like the Desktops the Applications have the same config options to a menu on the left.

Files can be copied up and down from the Desktops of Apps using this menu and as an administrator you get a complete audit of almost everything uploaded, downloaded, Shared when the Mic/Video is launched and what is copied to the clipboard.

Creating Custom Kasm Images

Images — Kasm 1.7.0 documentation

Its very obvious that while out of the box there are some very useful examples of Kasm Images to run and they do provide useful functionality (well they do for me at least)

The true power of Kasm is being able to create your own custom desktop or sandboxed apps.

I'll be looking into how to deliver these over the next few weeks and see what is needed to create a desktop with the Apps i use daily as a Linux user.

There is no doubt about it, this is really cool tech.

Its useful tech and in todays workspaces where the browser and a handful of apps which are more and more getting Linux versions or seriously usable alternatives (OnlyOffice, Nextcloud)

The Auditability is a great feature for those companies increasing home users and the fact i can run this without being internet facing (over vpn), or being internet facing connecting my login to Gsuite or Office365 is a great feature.

Personally out of the box having the Documents folder of a desktop linked directly to my personal Nextcloud server. Use Teams, OnlyOffice Remmina and Slack makes having a disposable desktop which will stay open between sessions or be killed and start again quickly means I can use this as is out of the box.

I'm going to spend some time building my own desktop Image and see how easy that is..

I like this tech.