Call-home SSH scripts

Sometimes I need to set up quickly some presence in a customer network: to be able to access it remotely, or to run some network management scripts, and so on. Most of such networks are behind NAT or at least a firewall, and incoming connections from outside aren’t always easy.

But outgoing connections from a customer LAN are mostly not a problem at all. So, I bring my own small netbook and place it in the customer LAN. This netbook automatically makes an outgoing SSH connection to my central server (a VPS) and pulls an SSH tunnel so that I can access the netbook from outside.

This is a kind of a backdoor, and it makes sense to make your customer completely aware of what you’re doing.

For such purposes, I have a couple of cheapest 10″ netbooks. I’m using Acer AspireOne and some older eMachines netbooks because they were sold cheaply. Most other netbooks would fit too, but one should be careful about Linux compatibility (especially the video drivers might be a problem). They come with 1GB RAM and 160 or 250 GB hard drives. It’s quite trivial to upgrade them to 2GB RAM, although it’s not really necessary. You must only be careful about buying a new SODIMM with exactly the same clocking as the original one.

The netbooks run standard Ubuntu Linux, with SSH daemon enabled. If the user home directory is encrypted, you won’t be able to login with your public SSH keys, so better not encrypt it.

1. On my central VPS, in /etc/ssh/sshd_config I enabled the keepalives. This turns down a connection which is stalled because of network problems. As we’re setting up SSH tunnels with port mapping, the new tunnel will not be set up until the TCP socket is free. With keepalives, SSH daemon will automatically break the connection and free up the socket. Also I enable remote clients to open a listening socket on my central VPS:

ClientAliveInterval 5
ClientAliveCountMax 3
GatewayPorts yes

2. Create a user on the central VPS. “micro02” is the host name for my micro-agent netbook. The user has /bin/false as a shell, because we don’t want it to do anything on the VPS:

$ grep micro02 /etc/passwd
micro02:x:1002:1003::/home/micro02:/bin/false

3. On micro02, generate the SSH keys for root, and add the public key to the autorized keys for the user “micro02” on the VPS.

4. Create a DNS entry for callhome purpose. If your central server moves, you won’t have to reconfigure all your agents.

5. Here’s the script /root/ssh_tunnel.sh on the netbook. The infinite loop sets up an SSH connection with port forwarding. There’s a sleep command on purpose: if there’s no routing to the destination, SSH would exit immediately, and we don’t want the loop to hog all our CPU power. Server key checking is disabled, as the server may eventually change, and we don’t want to lose control of our agent.

#!/bin/sh
while true; do
  ssh -NC -o ServerAliveInterval=5 \
    -o UserKnownHostsFile=/dev/null \
    -o StrictHostKeyChecking=no \
    -R '*:2022:127.0.0.1:22' micro02@callhome.mydomain.net
  sleep 5
done

6. Here’s the startup script /etc/init.d/callhome_ssh_tunnel which brings up the tunnel at the computer boot:

#! /bin/sh
#
### BEGIN INIT INFO
# Provides:          k-open_ssh_tunnel
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      
# Short-Description: SSH tunnel to support.mydomain.com
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON="/bin/sh /root/ssh_tunnel.sh"
DESC="SSH tunnel to callhome.mydomain.net"
VERBOSE=yes

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
. /lib/lsb/init-functions

OPTIONS=""
#
# Function that starts the daemon/service
#
do_start()
{
        start-stop-daemon --start --background \
                --name ssh_tunnel.sh --exec $DAEMON \
                || return 1
}

case "$1" in
  start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  stop)
        echo not supported
        ;;
esac

exit 0

7. Test the connection script: SSH to port 2022 on your VPS should bring you to the netbook command prompt. Then enable the startup script:

update-rc.d callhome_ssh_tunnel enable

8. In Power Settings, set “do nothing” when the lid is closed.

9. Reboot the netbook and test

10. Disconnect a running netbook from the network, then connect again, and test.

11. Make a backup copy of your scripts. The best is to use Git with a private repository.

Advertisements

, , , , ,

  1. Dial Home Device | Sean Combinator

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: