Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 18:17 +0200, Philip Hands wrote:
> ST <firstname.lastname@example.org> writes:
> > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> >> ST <email@example.com> writes:
> >> > Hello Debian Install System Team,
> >> >
> >> > there used to be Linux install parties - a very cool event in itself and
> >> > a way to bring new users into community. However it is not so easy to
> >> > organize and it is somewhat limiting in time and space.
> >> >
> >> > Several weeks ago I learned about the kernel-space VPN - WireGuard 
> >> > and was so positively shocked by the ease of it's configuration/use 
> >> > so that I don't stop to think how it can be effectively utilized.
> >> >
> >> > Today I was thinking whether it would be possible to use this technology
> >> > to enable an experienced Linux user to help a fellow newbie to install
> >> > Debian on his Windows box?...
> >> >
> >> > The idea is to add an "Remote assistance mode" into win32-loader. Once
> >> > toggled - it will preseed and run Debian Installer (after reboot)
> >> > without any interaction until it:
> >> > 1. creates a WG interface,
> >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server 
> >> > (the assisting Linux profi also should be part of this VPN so he can SSH
> >> > to the newbie through NAT).
> >> > 3. runs SSH server listening on that IP.
> >> > 4. generates a short random password for the root user and displays it
> >> > together with its IP from step #2 on the monitor of the newbie. This
> >> > information (IP and root's password) are communicated by newbie to his
> >> > Linux profi friend by phone/sms/etc..
> >> >
> >> >>From this point on the Linux profi can SSH to the box and continue the
> >> > installation process in text mode.
> >> >
> >> > Is something like this possible?
> >> I've not yet used WireGuard, but from what I can see one needs a unique
> >> key per client to be known to the server (perhaps there's a way of
> >> telling it not to care). Also, the examples around the place also seem
> >> to suggest that one needs a UDP port per connection.
> >> Also, the wireguard.com front page does currently say:
> >> WireGuard is not yet complete. _You should not rely on this code._
> >> Anyway, I don't see that one actually needs WireGuard to implement it.
> >> A similar result could be achieved by configuring the new system to ssh
> >> to a server somewhere, and either have that connection used for the
> >> remote control, or have ssh also do port-forwarding back to the new
> >> installation.
> > Indeed?!... I'm positively shocked once again... Never knew it could be
> > possible. Let's say we have a newbie (with a private IP - N which is
> > behind NAT) and the same for a profie with IP P. And a publicly visible
> > server with the IP S. Let's say both can SSH to S:22 and know each
> > others' passwords/keys.
> > Could you, please, describe in details how one can implement both
> > approaches, namely:
> > 1. "to ssh to a server somewhere, and either have that connection used",
> > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?
> Many years ago I used to plumb things like this together with expect,
> but there's bound to be a better way to do it these days -- tmate.io
> (mentioned elsewhere in the thread) seems like it might be part of such
> a solution. I doesn't trike me as the optimal approach though.
> > 2. "or have ssh also do port-forwarding back to the new installation"
> > could you, please show the sequence of commands to achieve this?
> One would use something like this on the target system:
> ssh -R 0:localhost:22 newbie@S
After several days of trials I came to following simple solution - there
is no need for two accounts, just one, and it works like this:
autossh -M 8000 -f -N -T -R 10023:localhost:22 -p 8482
- where 10023 is a random port chosen by Debian Installer together with a random
root password to be communicated to the profi
- 8482 is a custom SSH port
- 8000/8001 is used by autossh to monitor the connection
> which leaves you with the challenge of telling the "profi" the port
> that's been allocated, which is probably scriptable on the server
> somehow, at which point they can do what boils down to:
> ssh -J profie@S:22 -p $DYN_PORT root@localhost
and indeed profi can connect by issuing:
ssh -J firstname.lastname@example.org:8482 -p 10023 root@localhost
> which should jump via the server, up the reverse port forward, and then
> onto the target.
> Making that so that nobody gets to do anything nasty on the server or to
> connect to the wrong newbie is left as an excercise to the reader ;-)
This turned out to be very simple for this single `public` account,
just revoke interactive shell:
usermod -s /bin/false public
That's it - no nasty things on the server, even though the commands
above work and profis can't SSH to other newbies as each of them has his
own custom random root password.
As mentioned before this sort of "Assist Me" feature can be used both
for initial installation and for further support afterwards. This can
enable online Debian Install Parties not bound to time/space and
significantly accelerate Debian adoption (it is also possible to enable
graphical Desktop Sharing via VNC this way).
Where should I file a feature request for this?