Howto/MultiuserScreenWithSshForSupervisedRemoteSupport: remoterelay.sh

File remoterelay.sh, 4.6 KB (added by tj, 5 years ago)

Shell script to configure remote-relay for the supported PC

Line 
1#!/bin/sh
2# configure and initiate a remote relay SSH connection for remote support
3# Copyright (c) 2012 TJ <linux@iam.tj>
4# Licensed on the terms of the GPL version 3
5
6# delay in seconds between starting ssh and starting screen
7DELAY=10
8
9# the key and certificate files
10RELAY_KEY="$HOME/.ssh/id_relay"
11RELAY_CERT="${RELAY_KEY}.pub"
12
13# set the 'screen' binary's path if not set already
14_SCREEN_=${_SCREEN_:=/usr/bin/screen}
15
16PACKAGES=""
17test ! -x /usr/sbin/sshd && PACKAGES="$PACKAGES openssh-server"
18test ! -x /usr/bin/autossh && PACKAGES="$PACKAGES autossh"
19test ! -x $_SCREEN_ && PACKAGES="$PACKAGES screen"
20
21# ensure pre-requisties are installed
22if [ ! -z "$PACKAGES" ]; then
23 echo "Need to install additional package(s): $PACKAGES ..."
24 sudo apt-get install $PACKAGES || exit 1
25fi
26
27if ! grep -q remoteop /etc/passwd; then
28 echo "Need to add a user account for the remote operator."
29 echo "Set an easy to remember password for this account and give it to the"
30 echo "support technician so they can connect to this PC (e.g.'letmein')."
31 sudo adduser remoteop || exit 2
32fi
33
34# unlock the remoteop account to prevent abuse
35echo "Unlocking the 'remoteop' user account to allow access"
36sudo passwd remoteop -u
37
38if [ ! -r  "$RELAY_KEY" ]; then
39 echo "Need to create an encryption key for the relay"
40 ssh-keygen -t rsa -N "" -f $RELAY_KEY || exit 3
41fi
42
43# If we can't log-in when passwords are disabled (BatchMode=yes) then the public key can't have been copied,
44# or may have been deleted from .ssh/authorized_keys previously
45if ! ssh -i ~/.ssh/id_relay -oBatchMode=yes remoterelay@relay.iam.tj sleep 1 >/dev/null 2>&1; then
46 echo "Sending the key to the remote relay server."
47 echo "You'll need the password of the server's 'remoterelay' user"
48 ssh-copy-id -i $RELAY_CERT remoterelay@relay.iam.tj || exit 4
49
50 # now make the client's IP address known to the support agent executing a script on the server
51 ssh -i $RELAY_KEY -n remoterelay@relay.iam.tj bin/support-client.sh || exit 5
52fi
53
54# add the ssh configuration for the relay server
55if ! grep -q relay-server $HOME/.ssh/config 2>/dev/null; then
56 echo "Adding the remote relay server SSH configuration"
57 cat <<EOF >>$HOME/.ssh/config
58
59Host relay-server
60User remoterelay
61HostName relay.iam.tj
62ServerAliveInterval 15
63RemoteForward 22222 localhost:22
64IdentityFile ~/.ssh/id_relay
65EOF
66fi
67
68# make sure the user config file has correct permissions (otherwise it would be ignored)
69if [ "$(stat -c %a $HOME/.ssh/config)" != "0640" ]; then
70 echo "Correcting permissions on SSH configuration file"
71 chmod 640 $HOME/.ssh/config
72fi
73
74# now the risky part... need to make the 'screen' binary setuid root to do multiuser sessions
75if [ "$(stat -c %a ${_SCREEN_})" != "4755" ]; then
76 echo "The 'screen' program needs to be allowed to run as root (setuid root) to do multi-user sessions."
77 echo "This is considered a security risk so this script will remove the setuid permission after the"
78 echo "connection to the server has been closed."
79 sudo chmod u+s ${_SCREEN_}
80fi
81
82# make sure screen's runtime directory is present and correct
83if [ ! -d /var/run/screen ]; then
84 echo "Creating screen's working directory"
85 sudo mkdir -p /var/run/screen
86fi
87if [ "$(stat -c %a /var/run/screen)" != "755" ]; then
88 echo "Changing permissions on screen's working directory"
89 sudo chmod 755 /var/run/screen
90fi
91
92# create a screen config file to allow multiuser for the local operator
93if [ ! -r $HOME/relay-screenrc ]; then
94 cat <<EOF >$HOME/relay-screenrc
95multiuser on
96acladd remoteop
97caption always "Press Ctrl+A then \ to quit screen"
98EOF
99
100fi
101
102# open an SSH connection to 'relay-server' (-n), with no connection to local input,
103# and put it into the background (-f)
104echo "Connecting to the relay server now..."
105autossh -f -n relay-server
106
107# get the process ID so we can send it signals later
108AUTOSSH_PID="$(pidof autossh)"
109
110echo "Starting the multiuser 'screen' session in $DELAY seconds..."
111sleep $DELAY
112
113# start the multiuser screen session using the pre-defined configuration
114# others can connect to this with screen -x $THISUSERNAME/Multiuser
115# e.g: if this screen is running on the 'tj' account then some other
116# user (remoteop) would do: screen -x tj/Multiuser
117${_SCREEN_} -c $HOME/relay-screenrc -L -S Multiuser
118
119echo "'screen' session has ended, cleaning up and disconnecting from the relay server..."
120
121# remove setuid from screen
122if [ "x$(stat -c %a $_SCREEN_)" = "x4755" ]; then
123 echo "Removing setuid from the screen program"
124 sudo chmod u-s ${_SCREEN_}
125fi
126
127echo "Disconnecting from the relay server"
128kill -TERM $AUTOSSH_PID
129
130# lock the remoteop account to prevent abuse
131echo "Locking the 'remoteop' user account to prevent unauthorised access"
132sudo passwd remoteop -l
133
134echo "All done"
135