Re: Remote Debian installation assistance for newbies using WireGuard VPN

[ST]

On Wed, 2018-04-25 at 18:17 +0200, Philip Hands wrote:
> ST  writes:
> 
> > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> >> ST  writes:
> >> 
> >> > Hello Debian Install System Team,
> >> >
> >> > there used to be Linux install parties - a very cool event in itself and
> >> > a way to bring new users into community. However it is not so easy to
> >> > organize and it is somewhat limiting in time and space.
> >> >
> >> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
> >> > and was so positively shocked by the ease of it's configuration/use [2]
> >> > so that I don't stop to think how it can be effectively utilized.
> >> >
> >> > Today I was thinking whether it would be possible to use this technology
> >> > to enable an experienced Linux user to help a fellow newbie to install
> >> > Debian on his Windows box?...
> >> >
> >> > The idea is to add an "Remote assistance mode" into win32-loader. Once
> >> > toggled - it will preseed and run Debian Installer (after reboot)
> >> > without any interaction until it:
> >> > 1. creates a WG interface,
> >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
> >> > (the assisting Linux profi also should be part of this VPN so he can SSH
> >> > to the newbie through NAT).
> >> > 3. runs SSH server listening on that IP.
> >> > 4. generates a short random password for the root user and displays it
> >> > together with its IP from step #2 on the monitor of the newbie. This
> >> > information (IP and root's password) are communicated by newbie to his
> >> > Linux profi friend by phone/sms/etc..
> >> >
> >> >>From this point on the Linux profi can SSH to the box and continue the
> >> > installation process in text mode.
> >> >
> >> > Is something like this possible?
> >> 
> >> I've not yet used WireGuard, but from what I can see one needs a unique
> >> key per client to be known to the server (perhaps there's a way of
> >> telling it not to care).  Also, the examples around the place also seem
> >> to suggest that one needs a UDP port per connection.
> >> 
> >> Also, the wireguard.com front page does currently say:
> >> 
> >>   WireGuard is not yet complete. _You should not rely on this code._
> >> 
> >> Anyway, I don't see that one actually needs WireGuard to implement it.
> >> 
> >> A similar result could be achieved by configuring the new system to ssh
> >> to a server somewhere, and either have that connection used for the
> >> remote control, or have ssh also do port-forwarding back to the new
> >> installation.
> >
> > Indeed?!... I'm positively shocked once again... Never knew it could be
> > possible. Let's say we have a newbie (with a private IP - N which is
> > behind NAT) and the same for a profie with IP P. And a publicly visible
> > server with the IP S. Let's say both can SSH to S:22 and know each
> > others' passwords/keys.
> >
> >  Could you, please, describe in details how one can implement both
> > approaches, namely:
> >
> > 1. "to ssh to a server somewhere, and either have that connection used",
> > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?
> 
> Many years ago I used to plumb things like this together with expect,
> but there's bound to be a better way to do it these days -- tmate.io
> (mentioned elsewhere in the thread) seems like it might be part of such
> a solution.  I doesn't trike me as the optimal approach though.
> 
> > 2. "or have ssh also do port-forwarding back to the new installation"
> > could you, please show the sequence of commands to achieve this?
> 
> One would use something like this on the target system:
> 
>   ssh -R 0:localhost:22 newbie@S

After several days of trials I came to following simple solution - there
is no need for two accounts, just one, and it works like this:

autossh -M 8000 -f -N -T -R 10023:localhost:22 -p 8482
pub...@debiantunneling.org

- where 10023 is a random port chosen by Debian Installer together with a random
root password to be communicated to the profi

- 8482 is a custom SSH port

- 8000/8001 is used by autossh to monitor the connection

> which leaves you with the challenge of telling the "profi" the port
> that's been allocated, which is probably scriptable on the server
> somehow, at which point they can do what boils down to:

>   ssh -J profie@S:22 -p $DYN_PORT root@localhost

and indeed profi can connect by issuing:

ssh -J pub...@debiantunneling.org:8482 -p 10023 root@localhost

> 
> which should jump via the server, up the reverse port forward, and then
> onto the target.
> 
> Making that so that nobody gets to do anything nasty on the server or to
> connect to the wrong newbie is left as an excercise to the reader ;-)

This turned out to be very simple for this single `public` account,
just revoke interactive shell:

usermod -s /bin/false public

That's it - no nasty things on the server, even though the commands
above work and profis can't SSH to other newbies as each 

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[ST]

On Wed, 2018-04-25 at 18:17 +0200, Philip Hands wrote:
> ST  writes:
> 
> > On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> >> ST  writes:
> >> 
> >> > Hello Debian Install System Team,
> >> >
> >> > there used to be Linux install parties - a very cool event in itself and
> >> > a way to bring new users into community. However it is not so easy to
> >> > organize and it is somewhat limiting in time and space.
> >> >
> >> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
> >> > and was so positively shocked by the ease of it's configuration/use [2]
> >> > so that I don't stop to think how it can be effectively utilized.
> >> >
> >> > Today I was thinking whether it would be possible to use this technology
> >> > to enable an experienced Linux user to help a fellow newbie to install
> >> > Debian on his Windows box?...
> >> >
> >> > The idea is to add an "Remote assistance mode" into win32-loader. Once
> >> > toggled - it will preseed and run Debian Installer (after reboot)
> >> > without any interaction until it:
> >> > 1. creates a WG interface,
> >> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
> >> > (the assisting Linux profi also should be part of this VPN so he can SSH
> >> > to the newbie through NAT).
> >> > 3. runs SSH server listening on that IP.
> >> > 4. generates a short random password for the root user and displays it
> >> > together with its IP from step #2 on the monitor of the newbie. This
> >> > information (IP and root's password) are communicated by newbie to his
> >> > Linux profi friend by phone/sms/etc..
> >> >
> >> >>From this point on the Linux profi can SSH to the box and continue the
> >> > installation process in text mode.
> >> >
> >> > Is something like this possible?
> >> 
> >> I've not yet used WireGuard, but from what I can see one needs a unique
> >> key per client to be known to the server (perhaps there's a way of
> >> telling it not to care).  Also, the examples around the place also seem
> >> to suggest that one needs a UDP port per connection.
> >> 
> >> Also, the wireguard.com front page does currently say:
> >> 
> >>   WireGuard is not yet complete. _You should not rely on this code._
> >> 
> >> Anyway, I don't see that one actually needs WireGuard to implement it.
> >> 
> >> A similar result could be achieved by configuring the new system to ssh
> >> to a server somewhere, and either have that connection used for the
> >> remote control, or have ssh also do port-forwarding back to the new
> >> installation.
> >
> > Indeed?!... I'm positively shocked once again... Never knew it could be
> > possible. Let's say we have a newbie (with a private IP - N which is
> > behind NAT) and the same for a profie with IP P. And a publicly visible
> > server with the IP S. Let's say both can SSH to S:22 and know each
> > others' passwords/keys.
> >
> >  Could you, please, describe in details how one can implement both
> > approaches, namely:
> >
> > 1. "to ssh to a server somewhere, and either have that connection used",
> > i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?
> 
> Many years ago I used to plumb things like this together with expect,
> but there's bound to be a better way to do it these days -- tmate.io
> (mentioned elsewhere in the thread) seems like it might be part of such
> a solution.  I doesn't trike me as the optimal approach though.
> 
> > 2. "or have ssh also do port-forwarding back to the new installation"
> > could you, please show the sequence of commands to achieve this?
> 
> One would use something like this on the target system:
> 
>   ssh -R 0:localhost:22 newbie@S
> 
> which leaves you with the challenge of telling the "profi" the port
> that's been allocated, which is probably scriptable on the server
> somehow,

It sounds like a great approach. The port should be allocated randomly
from available ports instead of the VPN IP form step #2 above. This
random port together with the random root password will be displayed on
newbie's monitor. Both credentials he will pass by phone to the profi.

>  at which point they can do what boils down to:
> 
>   ssh -J profie@S:22 -p $DYN_PORT root@localhost
> 
> which should jump via the server, up the reverse port forward, and then
> onto the target.
> 
> Making that so that nobody gets to do anything nasty on the server

This should be no problem: there will be two accounts (with known
private/public keys) - newbie and profi. On the newbie account you'll
block absolutely every possible command (with *) via `visudo`. For the
profi you'll block via `visudo` almost everything except for `ssh`
command with very strict possible arguments which enable only utilizing
the reverse tunnel established by newbies.

>  or to
> connect to the wrong newbie

There is nothing to implement here - if a profi tries to connect to some
other newbie - he will fail, since he doesn't know his local root
password.

I 

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[Philip Hands]

ST  writes:

> On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
>> ST  writes:
>> 
>> > Hello Debian Install System Team,
>> >
>> > there used to be Linux install parties - a very cool event in itself and
>> > a way to bring new users into community. However it is not so easy to
>> > organize and it is somewhat limiting in time and space.
>> >
>> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
>> > and was so positively shocked by the ease of it's configuration/use [2]
>> > so that I don't stop to think how it can be effectively utilized.
>> >
>> > Today I was thinking whether it would be possible to use this technology
>> > to enable an experienced Linux user to help a fellow newbie to install
>> > Debian on his Windows box?...
>> >
>> > The idea is to add an "Remote assistance mode" into win32-loader. Once
>> > toggled - it will preseed and run Debian Installer (after reboot)
>> > without any interaction until it:
>> > 1. creates a WG interface,
>> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
>> > (the assisting Linux profi also should be part of this VPN so he can SSH
>> > to the newbie through NAT).
>> > 3. runs SSH server listening on that IP.
>> > 4. generates a short random password for the root user and displays it
>> > together with its IP from step #2 on the monitor of the newbie. This
>> > information (IP and root's password) are communicated by newbie to his
>> > Linux profi friend by phone/sms/etc..
>> >
>> >>From this point on the Linux profi can SSH to the box and continue the
>> > installation process in text mode.
>> >
>> > Is something like this possible?
>> 
>> I've not yet used WireGuard, but from what I can see one needs a unique
>> key per client to be known to the server (perhaps there's a way of
>> telling it not to care).  Also, the examples around the place also seem
>> to suggest that one needs a UDP port per connection.
>> 
>> Also, the wireguard.com front page does currently say:
>> 
>>   WireGuard is not yet complete. _You should not rely on this code._
>> 
>> Anyway, I don't see that one actually needs WireGuard to implement it.
>> 
>> A similar result could be achieved by configuring the new system to ssh
>> to a server somewhere, and either have that connection used for the
>> remote control, or have ssh also do port-forwarding back to the new
>> installation.
>
> Indeed?!... I'm positively shocked once again... Never knew it could be
> possible. Let's say we have a newbie (with a private IP - N which is
> behind NAT) and the same for a profie with IP P. And a publicly visible
> server with the IP S. Let's say both can SSH to S:22 and know each
> others' passwords/keys.
>
>  Could you, please, describe in details how one can implement both
> approaches, namely:
>
> 1. "to ssh to a server somewhere, and either have that connection used",
> i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?

Many years ago I used to plumb things like this together with expect,
but there's bound to be a better way to do it these days -- tmate.io
(mentioned elsewhere in the thread) seems like it might be part of such
a solution.  I doesn't trike me as the optimal approach though.

> 2. "or have ssh also do port-forwarding back to the new installation"
> could you, please show the sequence of commands to achieve this?

One would use something like this on the target system:

  ssh -R 0:localhost:22 newbie@S

which leaves you with the challenge of telling the "profi" the port
that's been allocated, which is probably scriptable on the server
somehow, at which point they can do what boils down to:

  ssh -J profie@S:22 -p $DYN_PORT root@localhost

which should jump via the server, up the reverse port forward, and then
onto the target.

Making that so that nobody gets to do anything nasty on the server or to
connect to the wrong newbie is left as an excercise to the reader ;-)

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[ST]

On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> ST  writes:
> 
> > Hello Debian Install System Team,
> >
> > there used to be Linux install parties - a very cool event in itself and
> > a way to bring new users into community. However it is not so easy to
> > organize and it is somewhat limiting in time and space.
> >
> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
> > and was so positively shocked by the ease of it's configuration/use [2]
> > so that I don't stop to think how it can be effectively utilized.
> >
> > Today I was thinking whether it would be possible to use this technology
> > to enable an experienced Linux user to help a fellow newbie to install
> > Debian on his Windows box?...
> >
> > The idea is to add an "Remote assistance mode" into win32-loader. Once
> > toggled - it will preseed and run Debian Installer (after reboot)
> > without any interaction until it:
> > 1. creates a WG interface,
> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
> > (the assisting Linux profi also should be part of this VPN so he can SSH
> > to the newbie through NAT).
> > 3. runs SSH server listening on that IP.
> > 4. generates a short random password for the root user and displays it
> > together with its IP from step #2 on the monitor of the newbie. This
> > information (IP and root's password) are communicated by newbie to his
> > Linux profi friend by phone/sms/etc..
> >
> >>From this point on the Linux profi can SSH to the box and continue the
> > installation process in text mode.
> >
> > Is something like this possible?
> 
> I've not yet used WireGuard, but from what I can see one needs a unique
> key per client to be known to the server (perhaps there's a way of
> telling it not to care).  Also, the examples around the place also seem
> to suggest that one needs a UDP port per connection.
> 
> Also, the wireguard.com front page does currently say:
> 
>   WireGuard is not yet complete. _You should not rely on this code._
> 
> Anyway, I don't see that one actually needs WireGuard to implement it.
> 
> A similar result could be achieved by configuring the new system to ssh
> to a server somewhere, and either have that connection used for the
> remote control, or have ssh also do port-forwarding back to the new
> installation.

Indeed?!... I'm positively shocked once again... Never knew it could be
possible. Let's say we have a newbie (with a private IP - N which is
behind NAT) and the same for a profie with IP P. And a publicly visible
server with the IP S. Let's say both can SSH to S:22 and know each
others' passwords/keys.

 Could you, please, describe in details how one can implement both
approaches, namely:

1. "to ssh to a server somewhere, and either have that connection used",
i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?

2. "or have ssh also do port-forwarding back to the new installation"
could you, please show the sequence of commands to achieve this?

> 
> Of course we then have to work out under what circumstances the user
> should trust that person to be connected to their network,

I think a usual case is when they are just friends and trust each other
and have another shared communication channel, like phone/etc.. It's
kind of what TeamViewer is doing. The innovative part here though is to
enable terminal sharing for _bootstrapping_ an _not yet existent_ OS!

Thank you!

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[Jason A. Donenfeld]

tmate.io seems well suited for this.

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[Ian Campbell]

On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> Of course we then have to work out under what circumstances the user
> should trust that person to be connected to their network, the
> implications of which one cannot really expect a newbie to fully
> grasp.

I'm reminded of https://debug-me.branchable.com/

Ian.

Re: Remote Debian installation assistance for newbies using WireGuard VPN

[Philip Hands]

ST  writes:

> Hello Debian Install System Team,
>
> there used to be Linux install parties - a very cool event in itself and
> a way to bring new users into community. However it is not so easy to
> organize and it is somewhat limiting in time and space.
>
> Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
> and was so positively shocked by the ease of it's configuration/use [2]
> so that I don't stop to think how it can be effectively utilized.
>
> Today I was thinking whether it would be possible to use this technology
> to enable an experienced Linux user to help a fellow newbie to install
> Debian on his Windows box?...
>
> The idea is to add an "Remote assistance mode" into win32-loader. Once
> toggled - it will preseed and run Debian Installer (after reboot)
> without any interaction until it:
> 1. creates a WG interface,
> 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
> (the assisting Linux profi also should be part of this VPN so he can SSH
> to the newbie through NAT).
> 3. runs SSH server listening on that IP.
> 4. generates a short random password for the root user and displays it
> together with its IP from step #2 on the monitor of the newbie. This
> information (IP and root's password) are communicated by newbie to his
> Linux profi friend by phone/sms/etc..
>
>>From this point on the Linux profi can SSH to the box and continue the
> installation process in text mode.
>
> Is something like this possible?

I've not yet used WireGuard, but from what I can see one needs a unique
key per client to be known to the server (perhaps there's a way of
telling it not to care).  Also, the examples around the place also seem
to suggest that one needs a UDP port per connection.

Also, the wireguard.com front page does currently say:

  WireGuard is not yet complete. _You should not rely on this code._

Anyway, I don't see that one actually needs WireGuard to implement it.

A similar result could be achieved by configuring the new system to ssh
to a server somewhere, and either have that connection used for the
remote control, or have ssh also do port-forwarding back to the new
installation.

Of course we then have to work out under what circumstances the user
should trust that person to be connected to their network, the
implications of which one cannot really expect a newbie to fully grasp.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Remote Debian installation assistance for newbies using WireGuard VPN

[ST]

Hello Debian Install System Team,

there used to be Linux install parties - a very cool event in itself and
a way to bring new users into community. However it is not so easy to
organize and it is somewhat limiting in time and space.

Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
and was so positively shocked by the ease of it's configuration/use [2]
so that I don't stop to think how it can be effectively utilized.

Today I was thinking whether it would be possible to use this technology
to enable an experienced Linux user to help a fellow newbie to install
Debian on his Windows box?...

The idea is to add an "Remote assistance mode" into win32-loader. Once
toggled - it will preseed and run Debian Installer (after reboot)
without any interaction until it:
1. creates a WG interface,
2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
(the assisting Linux profi also should be part of this VPN so he can SSH
to the newbie through NAT).
3. runs SSH server listening on that IP.
4. generates a short random password for the root user and displays it
together with its IP from step #2 on the monitor of the newbie. This
information (IP and root's password) are communicated by newbie to his
Linux profi friend by phone/sms/etc..

>From this point on the Linux profi can SSH to the box and continue the
installation process in text mode.

Is something like this possible?

Thank you!

[1]: https://www.wireguard.com/
[2]:
https://linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/
[3]: here is a short demo of how it could be done:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/ncat-client-server