Two Step Remote Assistance Tool

xrayspx's picture

My mom has a Mac, and occasionally something will fuck up in a way that is best fixed by me having some control over her machine.  I had one of those cases last week and it was embarrassing that there was no good way for me to get remote access.  Google Meet doesn't cut it, but there's a whole other Chrome Remote Desktop app, but that was a lot of hoops to install and gave up any hope of walking my mother through the install process.

Basically MacOS won't take Yes for an answer.  Multiple interactions with Security settings, having to authenticate to make changes to permissions that aren't really explained because they assume you know how to use your computer.  I can't make those assumptions about my users, and in fact, it's not just a "Dumb User" issue.  Do this on a brand new OSX User profile.  Open a terminal in your user's home directory, type "find ./ | grep -i bob" and watch how many pop-up notifications you get requesting access for Terminal to view your Photos, now Terminal wants to view your Contacts.  Like 5 authorization dialogs to basically just get a file listing of my home directory.

It's maddening.  As an IT professional, yeah I get it "security, privacy, users can't be trusted, blah blah" but the OS is totally in my way and wasting my time and I don't like that.  And there's no way I could inflict all these dialogs on my mom.

So I had to simplify this all in a big way so my mom could click a thing and I magically can access her machine.  Here's what I came up with.

Solution: I'm gonna double-ssh tunnel to build an ad-hoc VPN between my mom's laptop and my internal network.

To make this work I just need an Internet connected host running sshd.  We're going to build a reverse tunnel from the remote laptop to my Internet connected server, two actually, one for ssh and one for VNC.  Getting her to properly configure System Preferences -> Sharing -> Remote Login & ..Sharing -> Screen Sharing was a trip.  But we did it.

Since I had to bootstrap this solution and build it in place I actually just emailed one command, and then made a video for "how to run Terminal" and sent that along as instructions.

The command for her to set up the bootstrap connection:

ssh -f -N -T -R 2210:localhost:22 tmp@xray'

That builds a tunnel for her laptop's port 22 and appears on my server as local port 2210 and I was able to ssh into her laptop as my Admin user to finish the deployment.  I built her laptop so I have an admin account on it.  Anyway, once on her machine, I created the following .app in her /Applications folder:

/Applications/Allow\ Remote\ Access.App/Contents/MacOS/Allow\ Remote\ Access

ssh -f -N -T -R 2210:localhost:22 mom@xray' &
ssh -f -N -T -R 5910:localhost:5900 mom@xray' &

Important safety tips:  You need the shebang line in that script and you must set it executable.  The script also must be named the same as the main .app container but without any extension.

This method does not expose the new listening ports externally on my ssh server, so to access them I would need to ssh to the server and then "ssh xrayspx@localhost -p 2210" to connect across to the remote laptop.  That's not ideal, especially for VNC, so I need to proxy my proxied port.  So on my personal system, I can run:


ssh -N -L 5904: xrayspx@xray's-ssh-host &

remmina vnc://localhost:5904

That's telling ssh to expose my ssh-server's local port 5910 and mapping it to port 5904 on my local workstation.  Then I launch remmina or whatever other VNC client to connect to localhost on port 5904 and I get my remote screen control, either as her user or as my admin user.  

Next Steps:  Really the main thing wrong with this solution is that there's no indicator that it's active.  So when the user launches the script to allow remote connections, there's no feedback.  It just works or it doesn't, and there's no way for her to stop it listening aside from rebooting the machine after the session is complete.  So I need to make some GUI element, either a terminal window that pops up, something which can do job control and close down all the ssh tunnels when the session is over.

This is all very similar to an automated RDP proxy tool I've already built and so the client-side job control and port tracking part is a solved problem.  I just need to wrap the server-side commands in something that will let the remote user terminate the session and be sure they're no longer exposed via SSH tunnel.  In practice though it's not the end of the world.  For an attacker to exploit this they would have to have control of my ssh server, at which point I've already lost the game.