On Mon, Nov 10, 2025 at 9:44 AM Théo ORENGO <[email protected]>
wrote:
> Hello,
>
> I am writing to report a persistent issue regarding the use of
> user-specific SSH private keys with the JDBC authentication extension
> in Apache Guacamole (version 1.5.0, running via the latest Docker
> images).
>
> My objective is to configure a shared SSH connection that utilizes
> nominative keys, with each user's private key stored as a private-key
> attribute in the guacamole_user_attribute table (MariaDB backend). The
> expected behavior is that Guacamole would utilize this user-specific
> attribute when the connection's primary "Private Key" parameter is
> left blank.
>
> This standard mechanism, however, is not functioning. Our DEBUG logs
> from guacd confirm that when using this standard inheritance method,
> no private key is ever transmitted to the daemon; the connection
> defaults to password authentication. We have validated that the key
> itself (a standard, unencrypted traditional RSA PEM, -----BEGIN RSA
> PRIVATE KEY-----) is correct and functions perfectly via a standard
> SSH terminal client.
>
>
I'm not sure what you mean by "this standard mechanism", or what "standard
inheritance method" you're referring to? Guacamole doesn't have any such
built-in inheritance mechanisms that I'm aware of, particularly as it
relates to the storage of private keys. Unless you've written a custom
extension with this functionality, it does not exist (to my knowledge) in
any of the standard images or extensions. The only way to really accomplish
this with the project-provided extensions would be to use the KSM
integration, but you haven't mentioned that as part of your setup, and that
would be outside of the standard JDBC module.
> To bypass this apparent inheritance failure, we attempted to force the
> attribute retrieval by using the Expression Language (EL) variable
> ${#user.private-key} directly in the connection's "Private Key"
> parameter field. This test yielded partial success: the guacd logs
> confirmed that a key was received (Auth key successfully imported).
> However, the authentication immediately failed with the error: Public
> key authentication failed: Unable to extract public key from private
> key file: Unsupported private key file format. This same error
> occurred regardless of whether the key stored in the database was in
> traditional RSA PEM or PKCS#8 format.
>
> The critical diagnostic step was as follows: we copied the identical
> RSA PEM key string from the database (the one failing via EL) and
> pasted it directly into the connection's "Private Key" parameter field
> in the Guacamole UI. When configured this way, the connection
> succeeded instantly.
>
>
To my knowledge not we do not support this Expression Language within the
Guacamole clients/extensions.
> This leads us to a clear conclusion: our installation appears to have
> two distinct issues. First, the standard JDBC attribute inheritance
> for private-key is non-functional. Second, while the EL expression
> ${#user.private-key} can retrieve the attribute, it appears to corrupt
> the formatting (presumably newlines or encoding) of the multi-line key
> string during transmission, rendering it unusable by libssh2.
>
>
I think this is an incorrect conclusion. Unless I've missed something key
or fundamental within our code and documentation, I do not believe that we
support either JDBC attribute inheritance, nor EL expression language. Can
you please point to the documentation that you're using that indicates
otherwise?
-Nick
