-   Linux - Server (
-   -   Prepare server to act as a headless remote support distro (

n0rthst4r 05-15-2019 01:15 PM

Prepare server to act as a headless remote support distro

I am in the need of preparing something as the tile says. I will explain it with a bit more detail.

I work for a company that provides clients with self-service point-of-sale equipment. These units run linux on a IMX 8 processor and they have GPRS connection. I am able to connect to them via the GPRS connection but sometimes the signal is very weak or the functionalities are very limited. They also feature Ethernet connection.

I have been planning to prepare something that I could place inside a flash drive and send to the staff of the shops. In case they need some support I could ask them to boot any laptop from that flash drive and gain almost full control over the point-of-sale via a stable and reliable connection. I would reach their laptop through their Wi-Fi connection and would interact with our equipment via Ethernet.
That would mean that the person in need of support just would need to plug Ethernet cable coming out of the point-of-sale to the laptop and booting the flash drive, trying to bother him or her the least possible.

The idea is something like this, after booting on almost any laptop (most distros can) it should:
  • Start two sessions.
  • One of them should display only and just only a way for the user to bring up the Wireless interface, that means, log into their Wi-Fi.
  • The other one (for me) must be hidden from the final (to avoid them trying to touch anything).

I would prepare the second session to do:
  • Get the laptop public address (so I can connect to)
  • Start something like TeamViewer (my company owns some licenses)
  • Configure Ethernet with the needed IP address to connect to the point-of-sale
  • Allow me to use SSH, FTP or VNC as if I were in front of the equipment.

The problems I find given my knowledge of Linux are the following:
  • Loggin automatically into two sessions
  • Showing only a "friendly" way of bringing up Wi-Fi (hiding file explorer, browser etc...)
  • Hiding the session for me

In order to achieve this I have though that there must have to be some kind of distro already prepared for this that I could just customize, since it seems a scenario that might be helpful for many people giving remote support, but I couldn't find any.

I have thought about Ubuntu server since it boots fast and provides a command line prompt, scaring most of the people, but I am not sure if I could find a friendly way of bringing up Wi-Fi. I could get by with just text in my session. Sometimes I would require VNC between the laptop and the point-of-sale (which runs a VNC server) and I wonder if there could be some way of VNCing it from my workstation through this setup.

I have also thought about a regular Ubuntu or any other distro (Puppy for example) with some kind of script that would show "only" a friendly way of logging into the Wireless network and once connected locking the session for the user but allowing me to see and control the desktop from my work station so I could service the unit like if I were in front of it.

Any kind of help or approach will be more than appreciated.


Turbocapitalist 05-15-2019 01:50 PM

You could modify just about any live distro for that, if I understand your goal correctly. There's no way around having them manually pick the right wireless network and enter the relevant wi-fi password, however.

Once they've logged into wi-fi, the live image could be set (perhaps via if-up) to initiate and maintain a reverse SSH tunnel back to your publicly accessible server. Then you could follow that back.


while ! ssh -i ~/.ssh/some_key_ed25519 -R 2222:localhost:22 \
            -o ExitOnForwardFailure=yes \
            -NT -l account01; do
        sleep 2;

The ports which are assigned to the tunnel cannot be assigned dynamically. So if you expect to ever have more than one connection concurrently, you'll have to plan accordingly.


while true; do
        for port in $(seq 2222 2233); do
                ssh -i ~/.ssh/some_key_ed25519 -R $port:localhost:22 \
                    -o ExitOnForwardFailure=yes \
                    -NT -l account01; do
                sleep 2;

The options -i, -R, -o, -T, and -l can actually be stored in the client configuration file: ~/.ssh/config. The other, -N, has to be specified at run time.

The live image would have to have OpenSSH server running and listening at the address for localhost on the loopback interface. There would be no need for it to listen on any external interfaces at all, though.

On your end, at the server, the key could be locked down in authorized_keys with 'command="/bin/false" ...' so that it cannot be used for other than a tunnel.

n0rthst4r 05-15-2019 03:32 PM

Thanks for your message.

I am sorry but I can't figure out what effect your code will have or how or when I could use it. I am too noob.

The main goal is to gain access to their laptop using their Wi-Fi (obviously with their permission since they are typing the password, they type the password and some script gets the public IP address -sorry I forgot to say that in my previous post- and emails it to me or place it on a ftp server that I can access or whatever -I can do that-) and then locking the session so they just see the login screen but in the background I can use Teamviewer to the public IP address (or any other software that doesn't require port mapping on the router) to connect to the point-of-sale through the laptop Ethernet connection.
Or maybe using two ttys sessions, the main one where they will choose their Wi-Fi from a list of nearby hotspots and nothing else (I mean, not returning to the prompt, or logging out the session), and the second one where I do some magic.

I have several doubts about your code.
I only plan to have one connection at the time so I think I have to focus on your first "while", don't I?
Looking at it I notice you are SSHing to localhost with keys stored in a file, so I should set up a SSH server on the live distro and it will connect to itself? so the laptop becomes a publicly accessible SSH server?? and then what is the account01 and the server.example? The only publicly accessible SSH server is running on the point-of-sale and can only be accessed through the GPRS connection (unless Ethernet is connected). It seems your are setting up a SSH tunnel once the laptop gets Wi-Fi. Is it a tunnel where I can SSH the laptop through the public IP address (got from the Wi-Fi) and it will be forwarded to the point-of-sale through the Ethernet connection?

I also forgot to say that the Ethernet in the point-of-sales is not used during normal operation, it is there just for us to connect, it ends in a RJ-45 the staff can plug into their laptop.

Thanks again.:)

michaelk 05-15-2019 04:23 PM

Welcome to LinuxQuestions.

I think your asking a lot from your customers.
1. If they have a laptop available and are willing to insert a flash drive with some unknown operating system at least to them.
2. Of the multitude of different BIOS/UEFI options and how they work be able talk them through how to boot the flash drive.
3. Have a wireless network available and of the multitude of different wireless adapters always have one that is linux supported and automatically recognized.
4. Of the multitude of ethernet adapters always have one that is linux supported and does not require firmware to be downloaded.

I think the problem is a bit more complicated and unfortunately I don't have a solution. For those customers that do have a wireless network you could build them a special SBC computer and figure out some simple method to configure the ssid/password. Once the SBC is booted you could automatically setup a reverse SSH tunnel to "dialin" as posted above. Having prepaid shipping would almost guarantee the SBC will be returned...

Turbocapitalist 05-15-2019 11:19 PM

If they are behind some wi-fi network, there will be complications like NAT which will prevent direct access. Yes there will eventuall be an external IP address somewhere, but no it won't connect you to their machine. Setting up SSH as an Onion service would be slow and more complicated to use. Therefore I recommend only a reverse SSH tunnel as your easiest option.

You could, if you really wanted to, build a script (shell, ncurses, or graphical) for your Live image to allow them to select the wi-fi network and enter a password, but the graphical option is already there in Ubuntu and might be more comfortable for them to use. Certainly it will save you time by not reinventing any wheels.

michaelk's point #2 is actually a fairly big hurdle. The BIOS/EFI/UEFI interace is different for pretty much each model of each brand, if it is even set to allow booting from USB. Sometimes the message about which button to press is so fleeting that you must use peripheral vision to read it and even then take a few tries to get the timing right when actually pressing it. I would not expect them to be required to change anything in the BIOS/EFI/UEFI because one mistake will render their machine unbootable until the wrong setting which got changed, which they will not have written down, is set back to what it should be.

The suggestion of a single-board computer (SBC) has a lot of merit. I'm still not sure of the best way to connect to the wi-fi with that, however. It would still be necessary for them to first select the right network and then enter the correct password. Maybe a Raspberry Pi Zero W with a small touch screen might work, then they do not have to plug anything in (and break it) except the USB power cable. You'd still need either a reverse tunnel for SSH or SSH as an Onion service for that. And there is the cost of the hardware, shipping, and the detailed scripts you will need to write.

If you go with a reverse tunnel to a dummy account on your server you will need a SSH server at a publicly accessible address for them to connect to. It is from, or via, that machine you will follow the reverse tunnel into their machine. There are hundreds of guides, tutorials, and howtos online about reverse tunnels -- with keys. Many are even correct, but you can ask here, too.

michaelk 05-16-2019 05:29 AM

Many Iot devices setup the wireless as an access point at first boot. Now days everythings connects as a smartphone app but a simple web page would simplify things. Display a list of available wireless networks and a form to enter the password. Save the settings, reconfigure wireless and start the tunnel.

n0rthst4r 05-16-2019 02:57 PM

Thank you all.

From all your messages I am figuring out the setup. I will try to prepare a SBC or a cheap laptop with a distro that I can customize to my desire (UEFI is going to be hard for them, it is even for me haha).
The distro would have a Desktop Environment and the only thing it will display would be a simple web page asking for Wi-Fi credentials. Then it would run Teamviewer (previously configured for remote support) (able to break through NAT) (and we have to use the paid licenses we have) and email me the Teamviewer ID. Then as a user of a Teamviewer license I can check the "black screen" box so it will hide what we do.
The cost of some SBC is something we can afford I guess but I will have to ask.

How does it sound?

Thanks again for all your suggestions.

Thinking about the SSH tunnel idea, very good indeed if I finally go that way, I am wondering if there is a way of "tunneling" a VNC session. The point-of-sale runs a VNC server, so I am wondering if I could just set kind of tunnel and start VNC to the public IP address and it gets forwarded directly to the VNC server in the point-of-sale. I am afraid this is going to require NAT, isn't it?

michaelk 05-16-2019 03:42 PM

Yes, a reverse tunnel will require NAT i.e port forwarding through your companies router. If that is not possible then Teamviewer might be the best solution.

The basic command would be

ssh -R 5901:POS_IP_Address:5901 me@my_public_address
Change port numbers as required. You would then login to your PC (i.e ssh localhost) and then start your VNC client using localhost as address and port if non-standard. In addition like Turbocapitalist posted you need to setup keys in advanced and probably a special user.

A Raspberry Pi3 is fairly inexpensive and its builtin wifi can be configured as an access point. As stated previously you could setup a web page to select from a list of available wireless APs, enter a password and then reconfigure the wireless adapter to connect to the selected wireless. You might want to add a software reset switch via its gpio so the customer can reset the wifi back to itself in case it fails. Once the network connects you can start the tunnel or whatever. I think Teamviewer also works on the Pi running Raspbian. Don't know if or how well it works.

n0rthst4r 05-19-2019 05:48 AM

OMG I completely forgot RPI3 does feature built-in WiFi!!!
Then it is the piece of HW that I need.

Thanks for your all this information. I will get hands-on ASAP.

All times are GMT -5. The time now is 02:04 AM.