On Tue, Nov 24, 2020 at 4:23 AM Himat Vekeria <[email protected]> wrote:
> Hi Nick,
>
>
>
> Thanks for the info and response, just a couple of additional things on
> this:
>
>
>
> “The virtual drive is managed entirely by guacd and forwarded through the
> RDP session, so there aren't any credentials for this, per se. That is, all
> of the files on the destination system will be owned by the Linux account
> that is running guacd, and will need to be accessible by this account.
>
>
>
> I had thought that the files were only temporarily stored on the linux
> system running guacd, does that mean files are permanently stored on the
> linux system and only accessible by the windows OS post authentication? The
> main concern here is access to files on the OS without having authenticated
> to the windows system so if its purely stored on the linux system then that
> makes things a bit easier here . I’d also be able to set up some cleanup
> scripts for files (unless guacamole has some clean up function for files?)
>
>
>
Assuming we're talking about the RDP Drive Redirection option within an RDP
connection, no, the files are not stored temporarily, the storage path that
you set to redirect as a virtual drive to the RDP session is a persistent
storage location, and will continue to store the files. The only exception
to this is the "Download" folder, which is a virtual folder that simply
triggers a download through the browser - files dragged into this folder
will be downloaded and not stored.
> Unsure if I need to raise a separate thread for this but I did try setting
> up an SFTP server as mentioned however the issue raised surrounding this
> was storing credentials – I tried to use a generic service account with a
> key pair to get around storing passwords (password polcies force a change
> every 30 days) and I’d thought this would only try authenticating for the
> SFTP account but when trying to access the rdp connection, it would fail
> authentication and made it seem as though it was trying to use the service
> account/key pair to authenticate against windows
>
Assuming your Guacamole instance is logging in with AD (via LDAP), I would
suggest using the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens for both the
Windows authentication as well as the SFTP server authentication (again,
the SFTP server needs to be domain-joined in this case, and accept the same
logins). That would avoid having to persistently store any credentials
anywhere, as they are dynamically passed through from Guacamole:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
-Nick
>
