Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 18:17 +0200, Philip Hands wrote: > STwrites: > > > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote: > >> ST writes: > >> > >> > Hello Debian Install System Team, > >> > > >> > there used to be Linux install parties - a very cool event in itself and > >> > a way to bring new users into community. However it is not so easy to > >> > organize and it is somewhat limiting in time and space. > >> > > >> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1] > >> > and was so positively shocked by the ease of it's configuration/use [2] > >> > so that I don't stop to think how it can be effectively utilized. > >> > > >> > Today I was thinking whether it would be possible to use this technology > >> > to enable an experienced Linux user to help a fellow newbie to install > >> > Debian on his Windows box?... > >> > > >> > The idea is to add an "Remote assistance mode" into win32-loader. Once > >> > toggled - it will preseed and run Debian Installer (after reboot) > >> > without any interaction until it: > >> > 1. creates a WG interface, > >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] > >> > (the assisting Linux profi also should be part of this VPN so he can SSH > >> > to the newbie through NAT). > >> > 3. runs SSH server listening on that IP. > >> > 4. generates a short random password for the root user and displays it > >> > together with its IP from step #2 on the monitor of the newbie. This > >> > information (IP and root's password) are communicated by newbie to his > >> > Linux profi friend by phone/sms/etc.. > >> > > >> >>From this point on the Linux profi can SSH to the box and continue the > >> > installation process in text mode. > >> > > >> > Is something like this possible? > >> > >> I've not yet used WireGuard, but from what I can see one needs a unique > >> key per client to be known to the server (perhaps there's a way of > >> telling it not to care). Also, the examples around the place also seem > >> to suggest that one needs a UDP port per connection. > >> > >> Also, the wireguard.com front page does currently say: > >> > >> WireGuard is not yet complete. _You should not rely on this code._ > >> > >> Anyway, I don't see that one actually needs WireGuard to implement it. > >> > >> A similar result could be achieved by configuring the new system to ssh > >> to a server somewhere, and either have that connection used for the > >> remote control, or have ssh also do port-forwarding back to the new > >> installation. > > > > Indeed?!... I'm positively shocked once again... Never knew it could be > > possible. Let's say we have a newbie (with a private IP - N which is > > behind NAT) and the same for a profie with IP P. And a publicly visible > > server with the IP S. Let's say both can SSH to S:22 and know each > > others' passwords/keys. > > > > Could you, please, describe in details how one can implement both > > approaches, namely: > > > > 1. "to ssh to a server somewhere, and either have that connection used", > > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N? > > Many years ago I used to plumb things like this together with expect, > but there's bound to be a better way to do it these days -- tmate.io > (mentioned elsewhere in the thread) seems like it might be part of such > a solution. I doesn't trike me as the optimal approach though. > > > 2. "or have ssh also do port-forwarding back to the new installation" > > could you, please show the sequence of commands to achieve this? > > One would use something like this on the target system: > > ssh -R 0:localhost:22 newbie@S After several days of trials I came to following simple solution - there is no need for two accounts, just one, and it works like this: autossh -M 8000 -f -N -T -R 10023:localhost:22 -p 8482 pub...@debiantunneling.org - where 10023 is a random port chosen by Debian Installer together with a random root password to be communicated to the profi - 8482 is a custom SSH port - 8000/8001 is used by autossh to monitor the connection > which leaves you with the challenge of telling the "profi" the port > that's been allocated, which is probably scriptable on the server > somehow, at which point they can do what boils down to: > ssh -J profie@S:22 -p $DYN_PORT root@localhost and indeed profi can connect by issuing: ssh -J pub...@debiantunneling.org:8482 -p 10023 root@localhost > > which should jump via the server, up the reverse port forward, and then > onto the target. > > Making that so that nobody gets to do anything nasty on the server or to > connect to the wrong newbie is left as an excercise to the reader ;-) This turned out to be very simple for this single `public` account, just revoke interactive shell: usermod -s /bin/false public That's it - no nasty things on the server, even though the commands above work and profis can't SSH to other newbies as each
Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 18:17 +0200, Philip Hands wrote: > STwrites: > > > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote: > >> ST writes: > >> > >> > Hello Debian Install System Team, > >> > > >> > there used to be Linux install parties - a very cool event in itself and > >> > a way to bring new users into community. However it is not so easy to > >> > organize and it is somewhat limiting in time and space. > >> > > >> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1] > >> > and was so positively shocked by the ease of it's configuration/use [2] > >> > so that I don't stop to think how it can be effectively utilized. > >> > > >> > Today I was thinking whether it would be possible to use this technology > >> > to enable an experienced Linux user to help a fellow newbie to install > >> > Debian on his Windows box?... > >> > > >> > The idea is to add an "Remote assistance mode" into win32-loader. Once > >> > toggled - it will preseed and run Debian Installer (after reboot) > >> > without any interaction until it: > >> > 1. creates a WG interface, > >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] > >> > (the assisting Linux profi also should be part of this VPN so he can SSH > >> > to the newbie through NAT). > >> > 3. runs SSH server listening on that IP. > >> > 4. generates a short random password for the root user and displays it > >> > together with its IP from step #2 on the monitor of the newbie. This > >> > information (IP and root's password) are communicated by newbie to his > >> > Linux profi friend by phone/sms/etc.. > >> > > >> >>From this point on the Linux profi can SSH to the box and continue the > >> > installation process in text mode. > >> > > >> > Is something like this possible? > >> > >> I've not yet used WireGuard, but from what I can see one needs a unique > >> key per client to be known to the server (perhaps there's a way of > >> telling it not to care). Also, the examples around the place also seem > >> to suggest that one needs a UDP port per connection. > >> > >> Also, the wireguard.com front page does currently say: > >> > >> WireGuard is not yet complete. _You should not rely on this code._ > >> > >> Anyway, I don't see that one actually needs WireGuard to implement it. > >> > >> A similar result could be achieved by configuring the new system to ssh > >> to a server somewhere, and either have that connection used for the > >> remote control, or have ssh also do port-forwarding back to the new > >> installation. > > > > Indeed?!... I'm positively shocked once again... Never knew it could be > > possible. Let's say we have a newbie (with a private IP - N which is > > behind NAT) and the same for a profie with IP P. And a publicly visible > > server with the IP S. Let's say both can SSH to S:22 and know each > > others' passwords/keys. > > > > Could you, please, describe in details how one can implement both > > approaches, namely: > > > > 1. "to ssh to a server somewhere, and either have that connection used", > > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N? > > Many years ago I used to plumb things like this together with expect, > but there's bound to be a better way to do it these days -- tmate.io > (mentioned elsewhere in the thread) seems like it might be part of such > a solution. I doesn't trike me as the optimal approach though. > > > 2. "or have ssh also do port-forwarding back to the new installation" > > could you, please show the sequence of commands to achieve this? > > One would use something like this on the target system: > > ssh -R 0:localhost:22 newbie@S > > which leaves you with the challenge of telling the "profi" the port > that's been allocated, which is probably scriptable on the server > somehow, It sounds like a great approach. The port should be allocated randomly from available ports instead of the VPN IP form step #2 above. This random port together with the random root password will be displayed on newbie's monitor. Both credentials he will pass by phone to the profi. > at which point they can do what boils down to: > > ssh -J profie@S:22 -p $DYN_PORT root@localhost > > which should jump via the server, up the reverse port forward, and then > onto the target. > > Making that so that nobody gets to do anything nasty on the server This should be no problem: there will be two accounts (with known private/public keys) - newbie and profi. On the newbie account you'll block absolutely every possible command (with *) via `visudo`. For the profi you'll block via `visudo` almost everything except for `ssh` command with very strict possible arguments which enable only utilizing the reverse tunnel established by newbies. > or to > connect to the wrong newbie There is nothing to implement here - if a profi tries to connect to some other newbie - he will fail, since he doesn't know his local root password. I
Re: Remote Debian installation assistance for newbies using WireGuard VPN
STwrites: > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote: >> ST writes: >> >> > Hello Debian Install System Team, >> > >> > there used to be Linux install parties - a very cool event in itself and >> > a way to bring new users into community. However it is not so easy to >> > organize and it is somewhat limiting in time and space. >> > >> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1] >> > and was so positively shocked by the ease of it's configuration/use [2] >> > so that I don't stop to think how it can be effectively utilized. >> > >> > Today I was thinking whether it would be possible to use this technology >> > to enable an experienced Linux user to help a fellow newbie to install >> > Debian on his Windows box?... >> > >> > The idea is to add an "Remote assistance mode" into win32-loader. Once >> > toggled - it will preseed and run Debian Installer (after reboot) >> > without any interaction until it: >> > 1. creates a WG interface, >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] >> > (the assisting Linux profi also should be part of this VPN so he can SSH >> > to the newbie through NAT). >> > 3. runs SSH server listening on that IP. >> > 4. generates a short random password for the root user and displays it >> > together with its IP from step #2 on the monitor of the newbie. This >> > information (IP and root's password) are communicated by newbie to his >> > Linux profi friend by phone/sms/etc.. >> > >> >>From this point on the Linux profi can SSH to the box and continue the >> > installation process in text mode. >> > >> > Is something like this possible? >> >> I've not yet used WireGuard, but from what I can see one needs a unique >> key per client to be known to the server (perhaps there's a way of >> telling it not to care). Also, the examples around the place also seem >> to suggest that one needs a UDP port per connection. >> >> Also, the wireguard.com front page does currently say: >> >> WireGuard is not yet complete. _You should not rely on this code._ >> >> Anyway, I don't see that one actually needs WireGuard to implement it. >> >> A similar result could be achieved by configuring the new system to ssh >> to a server somewhere, and either have that connection used for the >> remote control, or have ssh also do port-forwarding back to the new >> installation. > > Indeed?!... I'm positively shocked once again... Never knew it could be > possible. Let's say we have a newbie (with a private IP - N which is > behind NAT) and the same for a profie with IP P. And a publicly visible > server with the IP S. Let's say both can SSH to S:22 and know each > others' passwords/keys. > > Could you, please, describe in details how one can implement both > approaches, namely: > > 1. "to ssh to a server somewhere, and either have that connection used", > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N? Many years ago I used to plumb things like this together with expect, but there's bound to be a better way to do it these days -- tmate.io (mentioned elsewhere in the thread) seems like it might be part of such a solution. I doesn't trike me as the optimal approach though. > 2. "or have ssh also do port-forwarding back to the new installation" > could you, please show the sequence of commands to achieve this? One would use something like this on the target system: ssh -R 0:localhost:22 newbie@S which leaves you with the challenge of telling the "profi" the port that's been allocated, which is probably scriptable on the server somehow, at which point they can do what boils down to: ssh -J profie@S:22 -p $DYN_PORT root@localhost which should jump via the server, up the reverse port forward, and then onto the target. Making that so that nobody gets to do anything nasty on the server or to connect to the wrong newbie is left as an excercise to the reader ;-) Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote: > STwrites: > > > Hello Debian Install System Team, > > > > there used to be Linux install parties - a very cool event in itself and > > a way to bring new users into community. However it is not so easy to > > organize and it is somewhat limiting in time and space. > > > > Several weeks ago I learned about the kernel-space VPN - WireGuard [1] > > and was so positively shocked by the ease of it's configuration/use [2] > > so that I don't stop to think how it can be effectively utilized. > > > > Today I was thinking whether it would be possible to use this technology > > to enable an experienced Linux user to help a fellow newbie to install > > Debian on his Windows box?... > > > > The idea is to add an "Remote assistance mode" into win32-loader. Once > > toggled - it will preseed and run Debian Installer (after reboot) > > without any interaction until it: > > 1. creates a WG interface, > > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] > > (the assisting Linux profi also should be part of this VPN so he can SSH > > to the newbie through NAT). > > 3. runs SSH server listening on that IP. > > 4. generates a short random password for the root user and displays it > > together with its IP from step #2 on the monitor of the newbie. This > > information (IP and root's password) are communicated by newbie to his > > Linux profi friend by phone/sms/etc.. > > > >>From this point on the Linux profi can SSH to the box and continue the > > installation process in text mode. > > > > Is something like this possible? > > I've not yet used WireGuard, but from what I can see one needs a unique > key per client to be known to the server (perhaps there's a way of > telling it not to care). Also, the examples around the place also seem > to suggest that one needs a UDP port per connection. > > Also, the wireguard.com front page does currently say: > > WireGuard is not yet complete. _You should not rely on this code._ > > Anyway, I don't see that one actually needs WireGuard to implement it. > > A similar result could be achieved by configuring the new system to ssh > to a server somewhere, and either have that connection used for the > remote control, or have ssh also do port-forwarding back to the new > installation. Indeed?!... I'm positively shocked once again... Never knew it could be possible. Let's say we have a newbie (with a private IP - N which is behind NAT) and the same for a profie with IP P. And a publicly visible server with the IP S. Let's say both can SSH to S:22 and know each others' passwords/keys. Could you, please, describe in details how one can implement both approaches, namely: 1. "to ssh to a server somewhere, and either have that connection used", i.e. `ssh newbie@S:22`... so what now? How profi can get through to N? 2. "or have ssh also do port-forwarding back to the new installation" could you, please show the sequence of commands to achieve this? > > Of course we then have to work out under what circumstances the user > should trust that person to be connected to their network, I think a usual case is when they are just friends and trust each other and have another shared communication channel, like phone/etc.. It's kind of what TeamViewer is doing. The innovative part here though is to enable terminal sharing for _bootstrapping_ an _not yet existent_ OS! Thank you!
Re: Remote Debian installation assistance for newbies using WireGuard VPN
tmate.io seems well suited for this.
Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote: > Of course we then have to work out under what circumstances the user > should trust that person to be connected to their network, the > implications of which one cannot really expect a newbie to fully > grasp. I'm reminded of https://debug-me.branchable.com/ Ian.
Re: Remote Debian installation assistance for newbies using WireGuard VPN
STwrites: > Hello Debian Install System Team, > > there used to be Linux install parties - a very cool event in itself and > a way to bring new users into community. However it is not so easy to > organize and it is somewhat limiting in time and space. > > Several weeks ago I learned about the kernel-space VPN - WireGuard [1] > and was so positively shocked by the ease of it's configuration/use [2] > so that I don't stop to think how it can be effectively utilized. > > Today I was thinking whether it would be possible to use this technology > to enable an experienced Linux user to help a fellow newbie to install > Debian on his Windows box?... > > The idea is to add an "Remote assistance mode" into win32-loader. Once > toggled - it will preseed and run Debian Installer (after reboot) > without any interaction until it: > 1. creates a WG interface, > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] > (the assisting Linux profi also should be part of this VPN so he can SSH > to the newbie through NAT). > 3. runs SSH server listening on that IP. > 4. generates a short random password for the root user and displays it > together with its IP from step #2 on the monitor of the newbie. This > information (IP and root's password) are communicated by newbie to his > Linux profi friend by phone/sms/etc.. > >>From this point on the Linux profi can SSH to the box and continue the > installation process in text mode. > > Is something like this possible? I've not yet used WireGuard, but from what I can see one needs a unique key per client to be known to the server (perhaps there's a way of telling it not to care). Also, the examples around the place also seem to suggest that one needs a UDP port per connection. Also, the wireguard.com front page does currently say: WireGuard is not yet complete. _You should not rely on this code._ Anyway, I don't see that one actually needs WireGuard to implement it. A similar result could be achieved by configuring the new system to ssh to a server somewhere, and either have that connection used for the remote control, or have ssh also do port-forwarding back to the new installation. Of course we then have to work out under what circumstances the user should trust that person to be connected to their network, the implications of which one cannot really expect a newbie to fully grasp. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Remote Debian installation assistance for newbies using WireGuard VPN
Hello Debian Install System Team, there used to be Linux install parties - a very cool event in itself and a way to bring new users into community. However it is not so easy to organize and it is somewhat limiting in time and space. Several weeks ago I learned about the kernel-space VPN - WireGuard [1] and was so positively shocked by the ease of it's configuration/use [2] so that I don't stop to think how it can be effectively utilized. Today I was thinking whether it would be possible to use this technology to enable an experienced Linux user to help a fellow newbie to install Debian on his Windows box?... The idea is to add an "Remote assistance mode" into win32-loader. Once toggled - it will preseed and run Debian Installer (after reboot) without any interaction until it: 1. creates a WG interface, 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3] (the assisting Linux profi also should be part of this VPN so he can SSH to the newbie through NAT). 3. runs SSH server listening on that IP. 4. generates a short random password for the root user and displays it together with its IP from step #2 on the monitor of the newbie. This information (IP and root's password) are communicated by newbie to his Linux profi friend by phone/sms/etc.. >From this point on the Linux profi can SSH to the box and continue the installation process in text mode. Is something like this possible? Thank you! [1]: https://www.wireguard.com/ [2]: https://linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/ [3]: here is a short demo of how it could be done: https://git.zx2c4.com/WireGuard/tree/contrib/examples/ncat-client-server