guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Running bash script on user login
Date Tue, 21 May 2019 01:42:17 GMT
On Mon, May 20, 2019 at 7:51 AM purplebadger <dom@eclipticdynamics.co.uk>
wrote:

> does anyone have a simple mechanism or advice how to run a bash script
> when a
> user logs into Guac?
>
> We are running Duo authentication, the idea is to start a specific AWS
> instance when a specific user logs into Guac - ideally the script would run
> after the first part of the login process (ie pre-MFA) that way, by the
> time
> DUO authentication has been navigated, the instance would /potentially/
> have
> had time to fully startup.
>
>
Based on what you're trying to do, I'm not sure a bash script is actually
the best option.  AWS has quite a robust REST API that you can use to
automate/integrate, which is exactly what their awscli scripts use to
process commands.  It seems like the best route for you would actually be
to leverage their API and write some code that would interface with the API
to kick off the EC2 instance you want for the user.

My quick take on this would be to write a custom authentication extension
that would run this command at user login, and would also provide the
connection data required to make the connection.  The module could silently
accept the authentication from an upstream module, send the API commands to
AWS, and create the connection.  If you use a decorating extension, you
could use the JDBC module to store any custom user attributes (name of the
EC2 instance, for example), and perhaps even grab data from AWS about the
instance (public IP).  As far as the requirement for having the module kick
off the EC2 instance prior to Duo being invoked, I *think* this would be
possible as long as you order the loading of the modules correctly - that
is, in your GUACAMOLE_HOME/extensions directory, put your primary
authentication module (LDAP or JDBC, etc.), first (e.g.
guacamole-auth-0-jdbc.jar), the custom AWS one second, and then Duo third.
I'm not certain this will work, but I think it will.

Of course, this method would mean writing some custom code - specifically,
an extension module that decorates another module, and sends the REST
commands - but that shouldn't be all that complicated.

-Nick

Mime
View raw message