On Thu, Dec 3, 2020 at 12:08 PM Himat Vekeria <[email protected]> wrote:
> Hello,
>
>
>
> Currently using a dockerised environment with guacamole, guacd and mysql
> containers, guac version 1.2.
>
>
>
> I’ve manged to successfully set up SFTP over RDP using key pairs and
> openssh on the windows server, this works fine if I’m using mysql to store
> the users as I can pass the username using parameter tokens along with the
> key to authenticate for SFTP.
>
>
>
This may be a minor point, but SFTP does not run "over RDP", it runs
alongside it - that is, the SFTP traffic is using separate
communication channels from the RDP connection.
>
>
> I do however have a couple of issues with what’s currently set up:
>
>
>
> - I’ve tried to set the File Browser Root Directory and Default Upload
> Directory to be C:\Users\${GUAC_USERNAME} in an attempt to restrict SFTP
> users to their own user profile locations for upload and download. When I
> specify this, the RDP session doesn’t open and guacd logs show
> “guacd[22648]: WARNING: Cannot create SFTP filesystem -
> "C:\Users\hvekeria" is not a valid path.” This should be a valid path on
> the windows server however it doesn’t seem to recognise it. I appreciate
> the root directory may have been intended for linux servers but how could I
> go about applying this restriction?
>
>
I believe this likely depends upon how the directory translation is handled
between Linux and OpenSSH on Windows. if you launch a SFTP client on Linux
and connect directly to your OpenSSH session on Windows, can you go to
"C:\Users\hvekeria", or does this get translated to a more POSIX-compliant
path (/c/users/hvekeria or something like that)?
>
>
> In addition to that, I’m also testing with OpenID Connect
>
>
>
> - When trying to use SFTP over RDP as described above but in an
> environment configured with OpenID Connect, the parameter token
> ${GUAC_USERNAME} passes an email address because the email address is used
> as the username in Azure AD when logging in through Microsoft Services. I
> haven’t found a way to pass sAMAccountName within the ID Token for OpenID
> Connect (I’d want to use the sAMAccountName to log into guacamole) but what
> this means is that, when trying to pass a username to the windows server
> for SFTP access, the username doesn’t seem to be recognised as a valid
> user. Guacd logs show a timeout “guacd[8431]: ERROR: User is not
> responding.” – Is there a way to create a custom parameter token similar to
> ${GUAC_USERNAME} which would read the username input from the ID Token and
> remove the domain part of an email address? Windows is able to identify and
> log in using the email address as it’s able to understand the domain part
> of the email address however for SFTP, I think openSSH would see the whole
> email address as a username.
>
>
Yes, this is going to be an issue that I think you'll find it hard to work
around, for two reasons. One is the username issue, which, again, is more
on the Windows side of things - if OpenID Connect is passing a particular
username through, and Windows doesn't recognize that as a valid username
(either for RDP or SFTP), then there may not be a lot you can do about that
- you either have to get Windows to recognize the username as valid, or you
have to get OpenID to pass some other information through. Yes, you could
potentially modify the OpenID code in Guacamole to pass through some other
parameter tokens, if OpenID is providing those - that would be a pretty
trivial change. There is some work being done on this front for Group
Membership, and I think it could easily be extended to other attributes.
The other issue you're going to have, though, even if you get past the
username issue, is that ${GUAC_PASSWORD} will not be populated, because
OpenID will not supply to Guacamole the password used to authenticate the
user. So, even if you get the username working, you won't get a valid RDP
or SFTP session. This will be partially resolved in 1.3.0, which includes
support for prompting for credentials with RDP; however, SFTP will not
prompt for credentials, so that connection will still fail.
-Nick
>
