[svlug] linux for Mom remote admin trick

Scott Hess scott at doubleu.com
Thu Oct 9 15:53:11 PDT 2003


If you have an ssh-able system available (perhaps your own system),
another option is to have the email invoke "ssh -f -R2022:localhost:22
myhost.com sleep 3600".  Then you can ssh in from myhost.com over the port
forward by saying "ssh -p2022 localhost".  Then you can muck to your
heart's content (including setting up a more convenient access method).

The -f is to background things.  You could also use -n (actually, -n is
the way to go, in this case).  This will require a certain amount of ssh
fu, you'll need to get passwordless-login setup in such a way that it
doesn't require ssh-agent, meaning an empty passphrase.  Perhaps a
throw-away account for that (once you have the port-forward, it doesn't
matter, you could even make the account's shell special to retain
control).

Another option would be to use vtun to setup a tunnel back to your system.  
You set up the tunnel to _always_ be present, but with no use it will
timeout after awhile, and the outside system can't initiate due to the
NAT.  Then you send the email which causes a ping to go _outbound_, and
it's back up!

Later,
scott


On Thu, 9 Oct 2003, Kim wrote:
> Hi Folks;
> 
> There has been some discussion here re setting up Mom (or Grandma) with Linux 
> and how to deal with supporting it. I'd like to share this trick I use with 
> supporting my families Linux boxen. (And yes, Grandma DOES use Linux).
> 
> Our Linux boxen are behind Linksys NAT routers that are set to block all 
> ports. When I'd have to work on a system I'd have to make a phone call and 
> walk folks through opening up their SSH port so I could login. (enabling 
> remote management of the router is not an option I feel is a good idea)
> 
> Often I'd work on the family's boxen late at night and coordinating access was 
> a problem so I devised a way to controll the families routers remotely via 
> email.
> 
> I've set up everybody with KDE and Kmail as our standard software and Linksys 
> routers as our standard hardware. This makes everything nice and consistant 
> for me (It's good to be the Queen) but I'm sure this procedure could be 
> modified to work with other email clients and routers.
> 
> Note: It's really fun having a large family and upgrading them all to Linux. 
> One way to do this is to tell them, "don't worry, lets all get to gether on 
> this and I'll take care of all your computer problems for you." (worked for 
> me)
> 
> Anyway... on to the issue at hand.
> 
> Since all the routers are configured to only allow web administration from the 
> LAN side, something special was needed: A scriptable web browser. And lynx 
> fills the bill perfectly.
> 
> The second part of the problem was finding a way to execute lynx on the remote 
> system and get it to run a script that would log into the routers web admin 
> facility and open the port allowing remote access (the SSH port).
> 
> To solve this, Kmails email-filter functionality fit the problem like a glove.
> 
> A simple synopsis would be: "sending a properly formatted email to the target 
> host would trigger lynx to run a script that automagicly interacted with the 
> routers web admin function FROM THE LAN SIDE and open up the box to temporary 
> SSH access from the WAN side. The same special email sent to the target host 
> would then close the SSH port after your work is done.
> 
> The first step is to find out how to config the router via its web interface 
> to forward inbound connetion attempts to port 23 on its WAN address to an 
> internal (NAT) LAN address. To make sure this works consistantly, you should 
> also make sure you config the router to bind specific IP addresses to 
> specific MAC addresses instead of using the routers built in DHCP server.
> 
> Now that you know how to use the routers web admin interface to open and close 
> the SSH port, you need to write a lynx script to automate the process. The 
> easiest way to do this is to let lynx write the script for you!
> 
> I'd suggest doing a few run throughs using lynx to access your routers admin 
> screens first because it will look much different than in does in a graphical 
> web browser.
> 
> Now that you can admin the router using lynx, lets do it again but this time 
> use the command:
> 
> lynx -cmd_log=toggle23 172.16.1.1
> 
> Substitute "toggle23" with whatever file name you want and "172.16.1.1" with 
> your routers LAN side IP admin address.
> 
> Note: some older Lynksys routers don't allow you to specify LAN addresses 
> other than 192.168.1.*    There is a firmware upgrade available on the 
> Linksys website that fixes this problem.
> 
> After you have used the above command to forward the SSH port on your router 
> to a LAN address, cat the file toggle23 (or whatever filename you used).
> 
> Mine looks like this:
> 
> bash-2.05b$ cat toggle23
> # Command logfile created by Lynx 2.8.4rel.1 (17 Jul 2001)
> # Arg0 = lynx
> # Arg1 = -cmd_log=/home/kim/toggle23
> # Arg2 = http://172.16.1.1
> key /
> key A
> key d
> key ^J
> key ^J
> key Down Arrow
> key ^J
> key /
> key 1
> key 0
> key 2
> key ^J
> key Down Arrow
> key ^J
> key /
> key A
> key p
> key ^J
> key ^J
> key q
> key ^J
> bash-2.05b$
> 
> If you simply use the down arrow key to get to the fields you want, your 
> script will be much longer than this. Note the "/" chars and following ascii 
> chars... The "/" is the lynx search function and can be used to jump the 
> cursor to the place on the page that you want. Experiment with this and your 
> lynx script will be MUCH shorter.
> 
> You may also have to enter password data (deleted in my example) but if you 
> use these instructions, you'll know what to do when you make your lynx script 
> ;)   (man pages are your friend)
> 
> Test your lynx script by invoking lynx as:
> 
> lynx -cmd_script=toggle23 172.16.1.1
> 
> Make the appropriate filename and address substitutions.
> 
> Once you are happy with your lynx script, now is the time to write a Kmail 
> filter to run lynx and drive it with your script.
> 
> While my own Kmail filter for this uses a bit of obfuscation requiring a 
> regex, I'll show a simplified filter here that you can expand on.
> 
> Create a new Kmail filter called toggle23.
> 
> Under "Filter Criteria" Have it parse the <body> for the text "toggle23"
> 
> Under "Filter Actions" select "execute command" and enter:
> 
> xterm -e /usr/bin/lynx -cmd_script=/home/kim/toggle23 172.16.1.1
> (again, make the appropriate substitutions)
> 
> Add a second filter action to also move the email to the trash bin.
> 
> Note: The KDE/Kmail docs say that the "execute command" filter action only 
> works if the email has at least one attachment. By experimentation, I've 
> found this not to be true at least with my version of Kmail. It also says 
> that the entire message is piped to the commands stdin. This dosen't seem to 
> be true either.
> 
> All of my family has agreed to leave their computers on and Kmail open over 
> the weekend so I can do any required work or updates on their boxen. As you 
> may have noticed, sending an identical email to the target host closes the 
> remote routers SSH port.
> 
> Notes:
> 
> Kmail version used: 1.5.2
> KDE version used: 3.1.2
> lynx version used: 2.8.4rel.1
> Router: Linksys EtherFast BEFSR41 with latest firmware upgrade.
> Remote systems administered: AMD / RedHat of assorted versions and one Lindows 
> box.
> Local system: AMD / Gentoo 1.4 - gcc-3.2.3-r2
> 
> Right now I only use the above method to gain temporary access to the remote 
> boxen I admin but I can think of lots of other neat ways to apply these 
> techniqes. Be creative.
> 
> 
> Peace;
> 
> Kim
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
> 





More information about the svlug mailing list