Remote Assistance
First, to assist someone, you need to have your server set up to provide assistance; have a dns entry pointing to your server, have ports forwarded to that server (hint: Port 12345), and be running an ssh server on that port. And, that port shouldn't be one of the default ones, it should be something that the script kiddies don't notice. In this example, I'm using port 12345, but it can be anything you want. I'm running my server at cyli.org, with a user of secretuser, it's an Alma Linux VM.
Start by creating a user that can't log in;
# This is done as root on the server that will be providing assistance. useradd --comment "Assistance User" --create-home --no-user-group secretuser # Log in as this user to verify it works su - secretuser # Now you should be that user. ssh-keygen -t ed25519 -q -N "" -C "Assistance Key" -f ~/.ssh/AssistanceKey cat ~/.ssh/AssistanceKey.pub >> ~/.ssh/authorized_keys ssh -i ~/.ssh/AssistanceKey -p 12345 secretuser@localhost # You should get logged back in, with a new shell logout # You should be back in the first shell. logout # You should be back to root. # Below is appended to the end of your sshd_config to prevent the user from logging in. cat << EOT >> /etc/ssh/sshd_config Match User secretuser,secretuser@cyli.org AllowTcpForwarding yes X11Forwarding yes PermitTunnel yes GatewayPorts no AllowAgentForwarding yes PermitTTY no ForceCommand echo 'This account can only be used for tunneling' EOT # Restart the ssh server to incorporate the changes above. systemctl restart sshd.service # You should repeat the test above to verify that it works as expected, meaning you can't log in. # Copy the public and private keys to a thumb drive. From here on, they'll be referred to as # /mnt/AssistanceKey and /mnt/AssistanceKey.pub
# Create a script on the thumb drive to install the keys and files for the remote user.
cat << 'EndOfScript' >> /mnt/Install.sh
#!/bin/bash
# This script sets up most everything you should need for a Remote Assistance
# A function to create log files;
mkdir -p ~/.Logs
Log()
{
tee -a ~/.Logs/$(date +"%Y-%m-%d.txt")
}
# First, and foremost, we need to have OpenSSH Server installed;
sudo apt-get install openssh-server | Log
# Set up the keys
mkdir -m 0700 -p ~/.ssh
cp /mnt/AssistanceKey ~/.ssh/
chmod 0600 ~/.ssh/AssistanceKey
cp /mnt/AssistanceKey.pub ~/.ssh/
chmod 0644 ~/.ssh/AssistanceKey.pub
cat ~/.ssh/AssistanceKey.pub >> ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
mkdir ~/bin
cd ~/bin
# The construction below creates a file (adminaccess.service) and then cats
# everything to it until it matches the string 'EndOfText'. The dash strips
# out the leading tab that was added to make this easier to read. The "$(whoami)"
# returns the user you're logged in as, and this is the user that will get assistance.
cat <<- EndOfText > adminaccess.service
[Unit]
Description=Permit admin access from secretuser@cyli.org
After=network-online.target
Before=multi-user.target
DefaultDependencies=no
Wants=network-online.target
[Service]
# SSH connection runs as, and uses the private key stored in this users home dir (~/.ssh/)
User="$(whoami)"
# SSH connection with port forwarding, forwards port 22 on the client to 2223 on the server.
# The reverse (-R2223) port must be unique on the server.
ExecStart=/usr/bin/ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o \
ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -N -T -R2223:localhost:22 \
-i ~/.ssh/AssistanceKey -p 12345 secretuser@cyli.org
# Wait one minute before trying to restart the connection if it disconnects, and keep retrying.
RestartSec=60
Restart=always
[Install]
WantedBy=multi-user.target
EndOfText
chmod a+x adminaccess.service
sudo cp adminaccess.service /etc/systemd/system/adminaccess.service
echo "Added adminaccess.service (1)" | Log
# Script below is a helper to enable the service, the "'" around EndOfText makes
# The variables remain as variable instead of expanding.
cat <<- 'EndOfText' > Steve
#!/bin/bash
# This script connects to cyli.org for assistance, opening
# a tunnel that remote admins can connect back through.
ScriptName=adminaccess.service
[ ${1} ] && Opt=$( echo ${1} | tr A-Z a-z )
case ${Opt} in
q|x )
sudo systemctl disable ${ScriptName}
sudo systemctl stop ${ScriptName}
;;
* )
sudo systemctl enable ${ScriptName}
sudo systemctl start ${ScriptName} && echo "Started ${ScriptName}"
esac
EndOfText
chmod a+x Steve
echo "Added Steve script (2)" | Log
EndOfScript
Take the thumb drive with it's three files to the person you want to assist, mount it at /mnt and then type, as a user, NOT root;
bash /mnt/Install.sh
It should create a folder or two, and a script to use to make the tunnel.
When the user needs assistance, have them run the 'Steve' command, then, on your server, do the following;
sudo su - secretuser # You need access to the keys. ssh -i ~/.ssh/AssistanceKey -p 2223 <remote user login@>localhost # This should log you in to their machine, as them. # Do what you need to do to fix any issues, have the user verify the work, then; Steve q # To shut down the session, or use 'logout' if you may need to reconnect. # Until you run 'Steve q' or 'Steve x', the tunnel will persist, through restarts of either end.
A nice thing to do on the server, create '~/.ssh/config with an entry like below to make the connection simpler;
Host Betty
Hostname localhost
Port 2223
User betty
ForwardX11 yes
IdentityFile ~/.ssh/AssistanceKey
Then, when Betty calls needing assistance, all you need to type is 'ssh Betty'.
Another nice thing to do, create an entry in /etc/sudoers.d/Steve
Cmnd_Alias SystemCTL = /usr/bin/systemctl %sudo ALL = NOPASSWD: SystemCTL
Note that the connections can be made as any user that has those keys, so if you copy AssistanceKey from secretuser to your own ~/.ssh/ then you shouldn't need to become another user.
Another nice thing to do is to set up a Shared 'screen' session on the Assisted user's machine, it could even be set up as part of the 'Steve' command to automatically connect the Assisted user to that screen. Maybe even close out the session when they press Ctrl-D.