If your jumpbox is Linux, you can use part of this script to do what you
want.
This will detect new files to a specific directory and upload them to a
remote system (Linux).
I have a PowerShell variant of this script as well
Feel free to use this or parts of it.
Hope this helps!
#!/bin/bash
# Automatic File transfer
# Watches /Directory for new files and uploads them to REMOTE HOST
# using password-based SCP. Creates remote folder named after the last
two octets # Change or remove this as you need
# of eth0 (e.g., /File/Path/23.2). Locks local file afterward.
set -euo pipefail
WATCH_DIR="*/File/Path*"
LOG_FILE="/var/log/file_guard.log"
CONTROL_FILE="/var/log/file_uploaded.ctrl"
REMOTE_HOST="*IP ADDRESS HERE*"
#Replace USERNAME and PASSWORD with Certificate Authentication Comment
out the two fields
REMOTE_USER="*USERNAME*"
REMOTE_PASS="*PASSWORD*"
REMOTE_BASE="*/Path/To/Save/File*"
SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o
BatchMode=no -o ConnectTimeout=10"
# --- Verify dependencies ---
for cmd in inotifywait sshpass scp ssh ip awk grep mkdir chattr date; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "[FATAL] $(date '+%F %T') Missing dependency: $cmd" | tee
-a "$LOG_FILE"
exit 1
fi
done
# --- Determine eth0 last two octets ---
IPADDR=$(ip -4 addr show eth0 | awk '/inet / {print $2}' | cut -d'/' -f1
| head -n1)
if [[ -z "$IPADDR" ]]; then
echo "[FATAL] $(date '+%F %T') eth0 has no IPv4 address" | tee -a
"$LOG_FILE"
exit 1
fi
OCTETS=$(echo "$IPADDR" | awk -F. '{print $(NF-1)"."$NF}')
REMOTE_DIR="${REMOTE_BASE}/${OCTETS}"
# --- Prep environment ---
mkdir -p "$(dirname "$LOG_FILE")"
touch "$CONTROL_FILE"
chmod 600 "$CONTROL_FILE"
echo "[INFO] $(date '+%F %T') Watching $WATCH_DIR (remote path:
$REMOTE_DIR)" | tee -a "$LOG_FILE"
# --- Helper: add filename to control list ---
add_to_control() {
local file="$1"
grep -Fxq "$file" "$CONTROL_FILE" || echo "$file" >> "$CONTROL_FILE"
}
# --- Upload function with detailed error logging ---
upload_file() {
local FILEPATH="$1"
local BASENAME
BASENAME=$(basename "$FILEPATH")
local TMP_LOG="/tmp/file_upload_$$.log"
echo "[UPLOAD] $(date '+%F %T') Starting upload for $BASENAME →
${REMOTE_HOST}:${REMOTE_DIR}" >> "$LOG_FILE"
# 1. Ensure remote directory exists
if ! sshpass -p "$REMOTE_PASS" ssh $SSH_OPTS
"${REMOTE_USER}@${REMOTE_HOST}" "mkdir -p '$REMOTE_DIR'" >>"$TMP_LOG"
2>&1; then
echo "[ERROR] $(date '+%F %T') mkdir failed for $REMOTE_DIR" >>
"$LOG_FILE"
cat "$TMP_LOG" >> "$LOG_FILE"
rm -f "$TMP_LOG"
return 1
fi
# 2. Upload file
if sshpass -p "$REMOTE_PASS" scp $SSH_OPTS -q "$FILEPATH"
"${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_DIR}/${BASENAME}" >>"$TMP_LOG"
2>&1; then
echo "[SUCCESS] $(date '+%F %T') Uploaded $BASENAME
successfully" >> "$LOG_FILE"
chattr +i "$FILEPATH" 2>/dev/null || echo "[WARN] Could not
chattr +i $FILEPATH" >> "$LOG_FILE"
add_to_control "$BASENAME"
echo "[LOCKED] $(date '+%F %T') $FILEPATH" >> "$LOG_FILE"
else
local CODE=$?
echo "[ERROR] $(date '+%F %T') scp failed for $BASENAME (exit
$CODE)" >> "$LOG_FILE"
cat "$TMP_LOG" >> "$LOG_FILE"
fi
rm -f "$TMP_LOG"
}
# --- Main monitoring loop ---
inotifywait -m -e close_write -e moved_to --format '%w%f' "$WATCH_DIR" |
while read -r NEWFILE; do
sleep 2 # Allow file to finish writing
[ -f "$NEWFILE" ] || continue
BASENAME=$(basename "$NEWFILE")
# Skip if already uploaded
if grep -Fxq "$BASENAME" "$CONTROL_FILE"; then
echo "[SKIP] $(date '+%F %T') $BASENAME already processed" >>
"$LOG_FILE"
continue
fi
upload_file "$NEWFILE"
done
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure CMMC/iTAR virtual desktops!
*/FedRAMP MIL4 Ready FR2409250874/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 12/15/2025 6:44 PM, Nick Couchman wrote:
On Mon, Dec 15, 2025 at 5:24 PM Makarem Dandouna
<[email protected]> wrote:
Hello Nick,
Thank you for your answer. Here are some details:
-in a direct connection, i specify in the hostname field of the connection
parameters the ip address of the target machine to which i want to connect as
the network flow is opened between guacamole server and this machine.
-in the connection through a jumpbox, in the hostname I specify the ip address
of an intermediate machine (the jumpbox) that acts as a proxy between the
Guacamole servers and the target machine to which i want to connect. When user
connect whith ssh to the jumpbox, a command line is executed automatically to
run a gcloud ssh command to allow him to connect from the jumpbox to the target
machine using the google tunnel iap.
In this case, if user want to copy a file using SFTP from the side menu option,
files are copied to the jumpbox and not to the target machine as the ip address
is specified in the hostname field of the connection parameters.
Okay - I think I understand what's going on, though I'm not familiar
with the Google Tunnel API or how, exactly, that works. If you have a
link to the software/documentation for it, that might be helpful.
That said, I suspect that when the SFTP channel of the SSH session is
established, the Jumpbox SSH server is not executing the command line
to run the gcloud ssh command, so the SFTP connection just stays on
the jump box. I don't think there's really much that can be done about
this from within Guacamole, as my guess at this point is that the
limitation is more on the fact that SFTP channels on SSH servers don't
generally allow execution of commands. I could be wrong about that -
just going off what little I understand at this point.
There is a Jira issue out there, with some in-progress pull requests,
to allow tunneling connections over SSH connections, which might help
this. However, it isn't done, yet:
https://issues.apache.org/jira/browse/GUACAMOLE-312
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]
