Hello,
Currently using a dockerised environment with guacamole, guacd and mysql
containers, guac version 1.2.
I've manged to successfully set up SFTP over RDP using key pairs and openssh on
the windows server, this works fine if I'm using mysql to store the users as I
can pass the username using parameter tokens along with the key to authenticate
for SFTP.
I do however have a couple of issues with what's currently set up:
* I've tried to set the File Browser Root Directory and Default Upload
Directory to be C:\Users\${GUAC_USERNAME} in an attempt to restrict SFTP users
to their own user profile locations for upload and download. When I specify
this, the RDP session doesn't open and guacd logs show "guacd[22648]: WARNING:
Cannot create SFTP filesystem - "C:\Users\hvekeria" is not a valid path." This
should be a valid path on the windows server however it doesn't seem to
recognise it. I appreciate the root directory may have been intended for linux
servers but how could I go about applying this restriction?
In addition to that, I'm also testing with OpenID Connect
* When trying to use SFTP over RDP as described above but in an environment
configured with OpenID Connect, the parameter token ${GUAC_USERNAME} passes an
email address because the email address is used as the username in Azure AD
when logging in through Microsoft Services. I haven't found a way to pass
sAMAccountName within the ID Token for OpenID Connect (I'd want to use the
sAMAccountName to log into guacamole) but what this means is that, when trying
to pass a username to the windows server for SFTP access, the username doesn't
seem to be recognised as a valid user. Guacd logs show a timeout "guacd[8431]:
ERROR: User is not responding." - Is there a way to create a custom
parameter token similar to ${GUAC_USERNAME} which would read the username input
from the ID Token and remove the domain part of an email address? Windows is
able to identify and log in using the email address as it's able to understand
the domain part of the email address however for SFTP, I think openSSH would
see the whole email address as a username.
Any assistance here would be appreciated, the second issue may not be a clear
cut solution but I'm hoping there's at least a fix for the first issue
Thanks!
Himat Vekeria
Analyst
Networks, Security and Linux Team
[CACI]<http://www.caci.co.uk/>
T: 020 7605 6290 | W: www.caci.co.uk<http://www.caci.co.uk/>
CACI Ltd, Kensington Village, Avonmore Road, London, W14 8TS
This electronic message contains information from CACI International Inc or
subsidiary companies, which may be confidential, proprietary,
privileged or otherwise protected from disclosure. The information is
intended to be used solely by the recipient(s) named above. If you are not
an intended recipient, be aware that any review, disclosure, copying,
distribution or use of this transmission or its contents is prohibited. If
you have received this transmission in error, please notify us immediately
at [email protected]
Viruses: Although we have taken steps to ensure that this e-mail and
attachments are free from any virus, we advise that in keeping with good
computing practice the recipient should ensure they are actually virus free.
CACI Limited. Registered in England & Wales. Registration No. 1649776. CACI
House, Avonmore Road, London, W14 8TS
