[shawncp at kcnet.com: Re: Remote access partition and install Linux. With a Near Zero skilled operator at the remote site.]

Wed Jan 23 17:31:01 CST 2008

----- Forwarded message from "Shawn C. Powell" <shawncp at kcnet.com> -----
> From: "Shawn C. Powell" <shawncp at kcnet.com>
> To: kclug at kclug.org
> Subject: Re: Remote access partition and install Linux. With a Near Zero
> 	skilled operator at the remote site.
> Date: Wed, 23 Jan 2008 13:35:09 -0600
> 
> It seems like the hurdle is bootstrapping, in as simple a manner as possible, 
> some kind of connectivity so you can proceed with the work.  
> 
> What about setting up a VPN server on your end and let them connect to you?  
> PoPToP on your end for Windows ---  I'm not sure what kind of built-in/easy 
> VPN clients Knoppix provides.
> 
----- End forwarded message -----

CSR is (Customer Support Representative).

We set up logins on an otherwise little used web server and then put
this into a script named 'access' on the client machines...

#!/bin/bash

    # this script lets DSI access this computer via ssh

    # =========================================================
    # ssh -R 2500:localhost:22 rescue at newweb
    #
    # then ssh to newweb (internal name for csr.LOGIN-MACHINE.com) and...
    #
    #       /usr/bin/ssh -C -X -p2500 rescue at localhost 2>/dev/null
    #
    # will present a login prompt from the customer machine behind a linksys router
    #
    # 'rescue@' is an account pre-created on client machine
    # for just this script.
    #
    # rescue01 through rescue10 are newweb logins which all share
    # login dir and /etc/passwd user id number.
    # =========================================================

    localhost=127.0.0.1
    EXPECT=$(type -p expect|sed 's/.* //')

============== generate key ====================
# Generate new key files...
/bin/rm -fr /home/rescue/.ssh
mkdir /home/rescue/.ssh
chmod 700 /home/rescue/.ssh
touch /home/rescue/.ssh/id_dsa

$EXPECT <<KEY_GEN
set timeout -1
match_max 100000
spawn ssh-keygen -f /home/rescue/.ssh/id_dsa -t dsa
expect "Overwrite (y/n)? "
send "yes\r"
expect "empty for no passphrase): "
send -- "\r"
expect "Enter same passphrase again: "
send -- "\r"
expect eof
KEY_GEN

============== end generate key ================

    # tell the user what's going on
    echo ''
    echo ''
    echo ''
    echo ''
    echo ''
    echo ''
    echo ''
    echo ''
    echo ''
    echo 'This program will exit when you strike the "Control-C" key.'
    echo ''
    echo ''
    echo 'If a command prompt returns before you strike "Control-C" please notify'
    echo 'the CSR working with you.'
    echo ''
    echo ''
    echo ''
    echo ''
    set=$(stty -g)

    # reset intr setting if ^c typed
    trap "stty $set ; echo '            done'; exit 0" 2 3 # Signal 2 is ^C

    stty intr ^c

    # Create a passwordless login for us
$EXPECT 2>/dev/null <<PUT_KEY
set timeout -1
match_max 100000
spawn /bin/sh -c "cat .ssh/id_dsa.pub | ssh rescue01 at csr.LOGIN-MACHINE.com 'cat >>.ssh/authorized_keys'"
expect "continue connecting (yes/no)? "
send "yes\r"
expect "ssword: "
send -- "LOGIN_PASSWORD\r"
expect eof
PUT_KEY

    # Use new server at csr.LOGIN-MACHINE.com
    lst="$(ssh rescue01 at csr.LOGIN-MACHINE.com 'netstat -an |grep 127.0.0.1:91..'|sort)"

    n=''
    [ -z "$n" -a $(echo "$lst"|grep -c 9110) -eq 0 ] && n=01
    [ -z "$n" -a $(echo "$lst"|grep -c 9111) -eq 0 ] && n=02
    [ -z "$n" -a $(echo "$lst"|grep -c 9112) -eq 0 ] && n=03
    [ -z "$n" -a $(echo "$lst"|grep -c 9113) -eq 0 ] && n=04
    [ -z "$n" -a $(echo "$lst"|grep -c 9114) -eq 0 ] && n=05
    [ -z "$n" -a $(echo "$lst"|grep -c 9115) -eq 0 ] && n=06
    [ -z "$n" -a $(echo "$lst"|grep -c 9116) -eq 0 ] && n=07
    [ -z "$n" -a $(echo "$lst"|grep -c 9117) -eq 0 ] && n=08
    [ -z "$n" -a $(echo "$lst"|grep -c 9118) -eq 0 ] && n=09
    [ -z "$n" -a $(echo "$lst"|grep -c 9119) -eq 0 ] && n=10

       port=$(( 9109 + 10#$n ))
       /bin/echo -n connected to... rescue${n}@csr.LOGIN-MACHINE.com port $port'...'
       ssh -X -C -t -R ${port}:${localhost}:22 rescue${n}@csr.LOGIN-MACHINE.com \
        'sleep 28800;exit 2>/dev/null'

    stty $set # reset intr if timed out
    exit 0
fi

============================= end access script ================

This logs in to our server, uploads the client public key, looks
for open port (01 through 10), and then types which was chosen
to client screen so I can know which port to ssh to.

Rereading the comments alerts me they are out of date.

Of course you should change "LOGIN_PASSWORD\r" to whatever you use
followed by \r (expect for <ENTER> key).

This does not, as I am typing, include generating the id_dsa.pub but...
I just put that part in from another script.

I include -X and Compression so running a GUI is possible even across
slow links.

Sometimes we start...

	vncviewer -bgr233 -noraiseonbeep -nocursorshape -quality 0 \
        -encodings "copyrect tight hextile zlib corre rre raw" \
        -compresslevel 9 localhost:0

To 'peek over the shoulder' of our clients.  I don't advise that unless
you are on the phone with them at that moment because they freak when
mouse moves and screen gets typed to without them.

Diverting messages from expect so your novice users will be less
intimidated I leave for the readers because I have spent too much time
on this already.