Running bash script on user login

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Running bash script on user login

purplebadger
does anyone have a simple mechanism or advice how to run a bash script when a
user logs into Guac?

We are running Duo authentication, the idea is to start a specific AWS
instance when a specific user logs into Guac - ideally the script would run
after the first part of the login process (ie pre-MFA) that way, by the time
DUO authentication has been navigated, the instance would /potentially/ have
had time to fully startup.

any examples or suggestions welcomed. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running bash script on user login

ivanmarcus

I'm not sure if it would cover your scenario exactly but I have a small python script that tails the catalina.out log file in order to send a magic packet to a specific machine when a specific user logs in. To me it was a simple way to achieve what I needed, and it's been working reliably for a year or more, although I'm sure there are more elegant ways to do this.

That said it would be trivial to alter it to do other things such as run another script or direct command. I did post it to the group some time ago but can do so again if it's of use (or MIA!).


On 20/05/2019 11:51 p.m., purplebadger wrote:
does anyone have a simple mechanism or advice how to run a bash script when a
user logs into Guac?

We are running Duo authentication, the idea is to start a specific AWS
instance when a specific user logs into Guac - ideally the script would run
after the first part of the login process (ie pre-MFA) that way, by the time
DUO authentication has been navigated, the instance would /potentially/ have
had time to fully startup.

any examples or suggestions welcomed. Thanks 



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Running bash script on user login

vnick
In reply to this post by purplebadger
On Mon, May 20, 2019 at 7:51 AM purplebadger <[hidden email]> wrote:
does anyone have a simple mechanism or advice how to run a bash script when a
user logs into Guac?

We are running Duo authentication, the idea is to start a specific AWS
instance when a specific user logs into Guac - ideally the script would run
after the first part of the login process (ie pre-MFA) that way, by the time
DUO authentication has been navigated, the instance would /potentially/ have
had time to fully startup.


Based on what you're trying to do, I'm not sure a bash script is actually the best option.  AWS has quite a robust REST API that you can use to automate/integrate, which is exactly what their awscli scripts use to process commands.  It seems like the best route for you would actually be to leverage their API and write some code that would interface with the API to kick off the EC2 instance you want for the user.

My quick take on this would be to write a custom authentication extension that would run this command at user login, and would also provide the connection data required to make the connection.  The module could silently accept the authentication from an upstream module, send the API commands to AWS, and create the connection.  If you use a decorating extension, you could use the JDBC module to store any custom user attributes (name of the EC2 instance, for example), and perhaps even grab data from AWS about the instance (public IP).  As far as the requirement for having the module kick off the EC2 instance prior to Duo being invoked, I *think* this would be possible as long as you order the loading of the modules correctly - that is, in your GUACAMOLE_HOME/extensions directory, put your primary authentication module (LDAP or JDBC, etc.), first (e.g. guacamole-auth-0-jdbc.jar), the custom AWS one second, and then Duo third.  I'm not certain this will work, but I think it will.

Of course, this method would mean writing some custom code - specifically, an extension module that decorates another module, and sends the REST commands - but that shouldn't be all that complicated.

-Nick