Wiki.Cyli.Org

User Tools

Site Tools

Trace: grow_md_raid1 how
remote_assistance

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
remote_assistance [2023/09/22 20:03] steveremote_assistance [2025/10/02 23:27] (current) steve
Line 1: Line 1:
 ==== Remote Assistance ==== ==== Remote Assistance ====
-First, to assist someone, you need to have your server set up to provide assistance; have a dns entry pointing to your server, have ports forwarded to that server, and be running an ssh server on that port. And, that port shouldn't be one of the default ones, it should be something that the script kiddies don't notice. In this example, I'm using port 12345, but it can be anything you want. I'm running my server at cyli.org, with a user of secretuser, it's an Alma Linux VM.+First, to assist someone, you need to have your server set up to provide assistance; have a dns entry pointing to your server, have ports forwarded to that server (hint: Port 12345), and be running an ssh server on that port. And, that port shouldn't be one of the default ones, it should be something that the script kiddies don't notice. In this example, I'm using port 12345, but it can be anything you want. I'm running my server at cyli.org, with a user of secretuser, it's an Alma Linux VM.
  
  
 Start by creating a user that can't log in; Start by creating a user that can't log in;
 <code> <code>
-# This is done as root.+# This is done as root on the server that will be providing assistance.
 useradd --comment "Assistance User" --create-home --no-user-group secretuser useradd --comment "Assistance User" --create-home --no-user-group secretuser
  
Line 16: Line 16:
 cat ~/.ssh/AssistanceKey.pub >> ~/.ssh/authorized_keys cat ~/.ssh/AssistanceKey.pub >> ~/.ssh/authorized_keys
  
-ssh -i ~/.ssh/AssistanceKey p 12345 secretuser@localhost+ssh -i ~/.ssh/AssistanceKey -p 12345 secretuser@localhost
 # You should get logged back in, with a new shell # You should get logged back in, with a new shell
  
Line 27: Line 27:
 # Below is appended to the end of your sshd_config to prevent the user from logging in. # Below is appended to the end of your sshd_config to prevent the user from logging in.
 cat << EOT >> /etc/ssh/sshd_config cat << EOT >> /etc/ssh/sshd_config
-Match User secretuser 
-   AllowTcpForwarding yes 
-   X11Forwarding yes 
-   PermitTunnel yes 
-   GatewayPorts no 
-   AllowAgentForwarding yes 
-   ForceCommand echo 'This account can only be used for tunneling' 
  
-Match User secretuser@cyli.org+Match User secretuser,secretuser@cyli.org
    AllowTcpForwarding yes    AllowTcpForwarding yes
    X11Forwarding yes    X11Forwarding yes
Line 41: Line 34:
    GatewayPorts no    GatewayPorts no
    AllowAgentForwarding yes    AllowAgentForwarding yes
 +   PermitTTY no
    ForceCommand echo 'This account can only be used for tunneling'    ForceCommand echo 'This account can only be used for tunneling'
 EOT EOT
Line 47: Line 41:
 systemctl restart sshd.service systemctl restart sshd.service
  
-# You should repeat the test above to verify that it works as expected.+# You should repeat the test above to verify that it works as expected, meaning you can't log in.
  
  
Line 60: Line 54:
 # This script sets up most everything you should need for a Remote Assistance # This script sets up most everything you should need for a Remote Assistance
  
 +# A function to create log files;
 mkdir -p ~/.Logs mkdir -p ~/.Logs
 Log() Log()
Line 65: Line 60:
 tee -a ~/.Logs/$(date +"%Y-%m-%d.txt") tee -a ~/.Logs/$(date +"%Y-%m-%d.txt")
 } }
 +
 +# First, and foremost, we need to have OpenSSH Server installed;
 +sudo apt-get install openssh-server | Log
  
 # Set up the keys # Set up the keys
-mkdir -p ~/.ssh+mkdir -m 0700 -p ~/.ssh
 cp /mnt/AssistanceKey ~/.ssh/ cp /mnt/AssistanceKey ~/.ssh/
-chmod 0600 .ssh/AssistanceKey+chmod 0600 ~/.ssh/AssistanceKey
 cp /mnt/AssistanceKey.pub ~/.ssh/ cp /mnt/AssistanceKey.pub ~/.ssh/
-chmod 0644 .ssh/AssistanceKey.pub +chmod 0644 ~/.ssh/AssistanceKey.pub 
-cat .ssh/AssistanceKey.pub >> .ssh/authorized_keys +cat ~/.ssh/AssistanceKey.pub >> ~/.ssh/authorized_keys 
-chmod 0644 .ssh/authorized_keys+chmod 0644 ~/.ssh/authorized_keys
  
  
 mkdir ~/bin mkdir ~/bin
 cd ~/bin cd ~/bin
 +
 # The construction below creates a file (adminaccess.service) and then cats  # The construction below creates a file (adminaccess.service) and then cats 
 # everything to it until it matches the string 'EndOfText'. The dash strips # everything to it until it matches the string 'EndOfText'. The dash strips
-# out the leading tab that was added to make this easier to read.  +# out the leading tab that was added to make this easier to read. The "$(whoami)" 
-cat <<'EndOfText> adminaccess.service+# returns the user you're logged in as, and this is the user that will get assistance
 +cat <<- EndOfText > adminaccess.service
  [Unit]  [Unit]
  Description=Permit admin access from secretuser@cyli.org  Description=Permit admin access from secretuser@cyli.org
Line 106: Line 106:
  WantedBy=multi-user.target  WantedBy=multi-user.target
 EndOfText EndOfText
 +
 chmod a+x adminaccess.service chmod a+x adminaccess.service
 sudo cp adminaccess.service /etc/systemd/system/adminaccess.service sudo cp adminaccess.service /etc/systemd/system/adminaccess.service
 echo "Added adminaccess.service (1)" | Log echo "Added adminaccess.service (1)" | Log
  
-cat <<- 'EndOfText'Help+# Script below is a helper to enable the service, the "'" around EndOfText makes 
 +# The variables remain as variable instead of expanding. 
 +cat <<- 'EndOfText'Steve
  #!/bin/bash  #!/bin/bash
  # This script connects to cyli.org for assistance, opening  # This script connects to cyli.org for assistance, opening
Line 126: Line 129:
  esac  esac
 EndOfText EndOfText
-chmod a+x Help +chmod a+x Steve 
-echo "Added Help (2)" | Log+echo "Added Steve script (2)" | Log
  
 EndOfScript EndOfScript
Line 139: Line 142:
 It should create a folder or two, and a script to use to make the tunnel. It should create a folder or two, and a script to use to make the tunnel.
  
-When the user needs assistance, have them run the 'Help' command, then, on your server, do the following;+When the user needs assistance, have them run the 'Steve' command, then, on your server, do the following;
 <code> <code>
 sudo su - secretuser sudo su - secretuser
 # You need access to the keys. # You need access to the keys.
-ssh -i ~/.ssh/AssistanceKey -p 2223 <remote users login>@localhost+ssh -i ~/.ssh/AssistanceKey -p 2223 <remote user login@>localhost
 # This should log you in to their machine, as them. # This should log you in to their machine, as them.
 # Do what you need to do to fix any issues, have the user verify the work, then; # Do what you need to do to fix any issues, have the user verify the work, then;
-Help q+Steve q
 # To shut down the session, or use 'logout' if you may need to reconnect. # To shut down the session, or use 'logout' if you may need to reconnect.
-# Until you run 'Help q' or 'Help x', the tunnel will persist, through restarts of either end.+# Until you run 'Steve q' or 'Steve x', the tunnel will persist, through restarts of either end.
 </code> </code>
  
Line 154: Line 157:
 <code> <code>
 Host Betty Host Betty
-Hostname localhost +    Hostname localhost 
-Port 2223 +    Port 2223 
-User betty +    User betty 
-ForwardX11 yes  +    ForwardX11 yes  
-IdentityFile ~/.ssh/AssistanceKey+    IdentityFile ~/.ssh/AssistanceKey
 </code> </code>
  
 Then, when Betty calls needing assistance, all you need to type is 'ssh Betty' Then, when Betty calls needing assistance, all you need to type is 'ssh Betty'
 +
 +Another nice thing to do, create an entry in /etc/sudoers.d/Steve
 +<code>
 +Cmnd_Alias SystemCTL = /usr/bin/systemctl
 +%sudo ALL = NOPASSWD: SystemCTL
 +</code>
 +
 Note that the connections can be made as any user that has those keys, so if you copy AssistanceKey from secretuser to your own ~/.ssh/ then you shouldn't need to become another user. Note that the connections can be made as any user that has those keys, so if you copy AssistanceKey from secretuser to your own ~/.ssh/ then you shouldn't need to become another user.
  
 +Another nice thing to do is to set up a [[Shared 'screen' session]] on the Assisted user's machine, it could even be set up as part of the 'Steve' command to automatically connect the Assisted user to that screen. Maybe even close out the session when they press Ctrl-D.
remote_assistance.1695413005.txt.gz · Last modified: by steve