----- Forwarded message from "Shawn C. Powell" shawncp@kcnet.com -----

From: "Shawn C. Powell" shawncp@kcnet.com To: kclug@kclug.org Subject: Re: Remote access partition and install Linux. With a Near Zero skilled operator at the remote site. Date: Wed, 23 Jan 2008 13:35:09 -0600

It seems like the hurdle is bootstrapping, in as simple a manner as possible, some kind of connectivity so you can proceed with the work.

What about setting up a VPN server on your end and let them connect to you? PoPToP on your end for Windows --- I'm not sure what kind of built-in/easy VPN clients Knoppix provides.

----- End forwarded message -----

CSR is (Customer Support Representative).

We set up logins on an otherwise little used web server and then put this into a script named 'access' on the client machines...

#!/bin/bash

# this script lets DSI access this computer via ssh

# ========================================================= # ssh -R 2500:localhost:22 rescue@newweb # # then ssh to newweb (internal name for csr.LOGIN-MACHINE.com) and... # # /usr/bin/ssh -C -X -p2500 rescue@localhost 2>/dev/null # # will present a login prompt from the customer machine behind a linksys router # # 'rescue@' is an account pre-created on client machine # for just this script. # # rescue01 through rescue10 are newweb logins which all share # login dir and /etc/passwd user id number. # =========================================================

localhost=127.0.0.1 EXPECT=$(type -p expect|sed 's/.* //')

============== generate key ==================== # Generate new key files... /bin/rm -fr /home/rescue/.ssh mkdir /home/rescue/.ssh chmod 700 /home/rescue/.ssh touch /home/rescue/.ssh/id_dsa

$EXPECT <<KEY_GEN set timeout -1 match_max 100000 spawn ssh-keygen -f /home/rescue/.ssh/id_dsa -t dsa expect "Overwrite (y/n)? " send "yes\r" expect "empty for no passphrase): " send -- "\r" expect "Enter same passphrase again: " send -- "\r" expect eof KEY_GEN

============== end generate key ================

# tell the user what's going on echo '' echo '' echo '' echo '' echo '' echo '' echo '' echo '' echo '' echo 'This program will exit when you strike the "Control-C" key.' echo '' echo '' echo 'If a command prompt returns before you strike "Control-C" please notify' echo 'the CSR working with you.' echo '' echo '' echo '' echo '' set=$(stty -g)

# reset intr setting if ^c typed trap "stty $set ; echo ' done'; exit 0" 2 3 # Signal 2 is ^C

stty intr ^c

# Create a passwordless login for us $EXPECT 2>/dev/null <<PUT_KEY set timeout -1 match_max 100000 spawn /bin/sh -c "cat .ssh/id_dsa.pub | ssh rescue01@csr.LOGIN-MACHINE.com 'cat >>.ssh/authorized_keys'" expect "continue connecting (yes/no)? " send "yes\r" expect "ssword: " send -- "LOGIN_PASSWORD\r" expect eof PUT_KEY

# Use new server at csr.LOGIN-MACHINE.com lst="$(ssh rescue01@csr.LOGIN-MACHINE.com 'netstat -an |grep 127.0.0.1:91..'|sort)"

n='' [ -z "$n" -a $(echo "$lst"|grep -c 9110) -eq 0 ] && n=01 [ -z "$n" -a $(echo "$lst"|grep -c 9111) -eq 0 ] && n=02 [ -z "$n" -a $(echo "$lst"|grep -c 9112) -eq 0 ] && n=03 [ -z "$n" -a $(echo "$lst"|grep -c 9113) -eq 0 ] && n=04 [ -z "$n" -a $(echo "$lst"|grep -c 9114) -eq 0 ] && n=05 [ -z "$n" -a $(echo "$lst"|grep -c 9115) -eq 0 ] && n=06 [ -z "$n" -a $(echo "$lst"|grep -c 9116) -eq 0 ] && n=07 [ -z "$n" -a $(echo "$lst"|grep -c 9117) -eq 0 ] && n=08 [ -z "$n" -a $(echo "$lst"|grep -c 9118) -eq 0 ] && n=09 [ -z "$n" -a $(echo "$lst"|grep -c 9119) -eq 0 ] && n=10

port=$(( 9109 + 10#$n )) /bin/echo -n connected to... rescue${n}@csr.LOGIN-MACHINE.com port $port'...' ssh -X -C -t -R ${port}:${localhost}:22 rescue${n}@csr.LOGIN-MACHINE.com \ 'sleep 28800;exit 2>/dev/null'

stty $set # reset intr if timed out exit 0 fi

============================= end access script ================

This logs in to our server, uploads the client public key, looks for open port (01 through 10), and then types which was chosen to client screen so I can know which port to ssh to.

Rereading the comments alerts me they are out of date.

Of course you should change "LOGIN_PASSWORD\r" to whatever you use followed by \r (expect for <ENTER> key).

This does not, as I am typing, include generating the id_dsa.pub but... I just put that part in from another script.

I include -X and Compression so running a GUI is possible even across slow links.

Sometimes we start...

vncviewer -bgr233 -noraiseonbeep -nocursorshape -quality 0 \ -encodings "copyrect tight hextile zlib corre rre raw" \ -compresslevel 9 localhost:0

To 'peek over the shoulder' of our clients. I don't advise that unless you are on the phone with them at that moment because they freak when mouse moves and screen gets typed to without them.

Diverting messages from expect so your novice users will be less intimidated I leave for the readers because I have spent too much time on this already.