You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by purplebadger <do...@eclipticdynamics.co.uk> on 2019/05/20 11:51:27 UTC
Running bash script on user login
does anyone have a simple mechanism or advice how to run a bash script when a
user logs into Guac?
We are running Duo authentication, the idea is to start a specific AWS
instance when a specific user logs into Guac - ideally the script would run
after the first part of the login process (ie pre-MFA) that way, by the time
DUO authentication has been navigated, the instance would /potentially/ have
had time to fully startup.
any examples or suggestions welcomed. Thanks
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Running bash script on user login
Posted by Nick Couchman <vn...@apache.org>.
On Mon, May 20, 2019 at 7:51 AM purplebadger <do...@eclipticdynamics.co.uk>
wrote:
> does anyone have a simple mechanism or advice how to run a bash script
> when a
> user logs into Guac?
>
> We are running Duo authentication, the idea is to start a specific AWS
> instance when a specific user logs into Guac - ideally the script would run
> after the first part of the login process (ie pre-MFA) that way, by the
> time
> DUO authentication has been navigated, the instance would /potentially/
> have
> had time to fully startup.
>
>
Based on what you're trying to do, I'm not sure a bash script is actually
the best option. AWS has quite a robust REST API that you can use to
automate/integrate, which is exactly what their awscli scripts use to
process commands. It seems like the best route for you would actually be
to leverage their API and write some code that would interface with the API
to kick off the EC2 instance you want for the user.
My quick take on this would be to write a custom authentication extension
that would run this command at user login, and would also provide the
connection data required to make the connection. The module could silently
accept the authentication from an upstream module, send the API commands to
AWS, and create the connection. If you use a decorating extension, you
could use the JDBC module to store any custom user attributes (name of the
EC2 instance, for example), and perhaps even grab data from AWS about the
instance (public IP). As far as the requirement for having the module kick
off the EC2 instance prior to Duo being invoked, I *think* this would be
possible as long as you order the loading of the modules correctly - that
is, in your GUACAMOLE_HOME/extensions directory, put your primary
authentication module (LDAP or JDBC, etc.), first (e.g.
guacamole-auth-0-jdbc.jar), the custom AWS one second, and then Duo third.
I'm not certain this will work, but I think it will.
Of course, this method would mean writing some custom code - specifically,
an extension module that decorates another module, and sends the REST
commands - but that shouldn't be all that complicated.
-Nick
Re: Running bash script on user login
Posted by ivanmarcus <iv...@yahoo.com.INVALID>.
I'm not sure if it would cover your scenario exactly but I have a small
python script that tails the catalina.out log file in order to send a
magic packet to a specific machine when a specific user logs in. To me
it was a simple way to achieve what I needed, and it's been working
reliably for a year or more, although I'm sure there are more elegant
ways to do this.
That said it would be trivial to alter it to do other things such as run
another script or direct command. I did post it to the group some time
ago but can do so again if it's of use (or MIA!).
On 20/05/2019 11:51 p.m., purplebadger wrote:
> does anyone have a simple mechanism or advice how to run a bash script when a
> user logs into Guac?
>
> We are running Duo authentication, the idea is to start a specific AWS
> instance when a specific user logs into Guac - ideally the script would run
> after the first part of the login process (ie pre-MFA) that way, by the time
> DUO authentication has been navigated, the instance would /potentially/ have
> had time to fully startup.
>
> any examples or suggestions welcomed. Thanks
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>