“Easy” & quite safe remote-admin for parent’s linux machine

Yes, I know about KDE desktop sharing, FreeNX and relatives… and again yes, this is nothing new, but someone might still find it useful.

I wanted and needed something simple, something that could be activated in the bootloader menu (grub 2), something that didn’t leave the machine wide-open when absolutely not needed, something that would be robust and wasn’t necessarily depending on a working GUI.


The boot-parameters that were used for the currently running kernel can be found in the file ‘/proc/cmdline’, easy to read and evaluate.


The idea is to create a custom boot-menu entry for the Linux machine and adding a keyword of choice as a boot-parameter.

On openSUSE one can add custom grub2 stuff to /etc/grub.d/, e.g. in a file named ’50_rescue_ssh’. The idea is to use an existing menu-entry from the grub2 config file (see /boot/grub2/grub.cfg) as a template.

On 13.2, you’ll find an entry similar to the following in ‘/boot/grub2/grub.cfg’:

Copy this section to ‘/etc/grub.d/50_rescue_ssh’, and make it look something like the following. Note, the new name, added kernel parameter, modified initrd/vmlinuz lines, removed ‘resume’. The version-less links to initrd/vmlinuz should always be present and link to the current kernel used. Make sure the file permissions and ownership are the same as all the other files in that folder.

Once that is done, run ‘grub2-mkconfig > /boot/grub2/grub.cfg’ to update grub2. If you reboot now, there should be an additional boot option named ‘Rescue SSH’ in grub2’s boot menu, which should start up normally (but without resume).

With this modified menu entry running, the parameter ‘start_rescue_ssh’ will show up in ‘/proc/cmdline’, ready for further evaluation.


This guide assumes that the SSH-server is normally NOT used on the machine and turned OFF.

To make use of the SSH-server, we need to activate port-forwarding in the router that connects to the ISP. Please refer to the manual of said device. Usually it is quite easy to do.

Furthermore, we need to make sure that either the firewall on the Linux machine is OFF (your choice), or that incoming SSH traffic on port 22 is allowed.

On openSUSE this can be done by modifying ‘/etc/sysconfig/SuSEfirewall2’. Should you want to run the SSH-server on a different port, or start a 2nd SSH-server, add that port here as well.

To make all of this work, the remote user ‘son’ wanting to log in to the local account ‘dad’ must append his public key ‘son@remote-machine:/home/son/.ssh/id_rsa.pub’ to ‘dad@local-machine:/home/dad/.ssh/authorized_keys’.

Either do this manually (copy text-content over), or use ‘ssh-copy-id’ (see man-page).

This should now allow for password-less login to dad’s account from the son’s account on his remote machine.

Now, the SSH server ‘/etc/ssh/sshd_config’ will be configured as follows:

This will only allow logins using public key authentication for normal users.

As the SSH-server will usually be OFF, this shouldn’t be a security issue to worry about.

4) EMAIL CONFIGURATION – works with YAHOO and another provider

To make sure that dad’s machine can send out emails using his usual email account, some modifications to ‘/home/dad/.mailrc’ are necessary.

You can test outgoing emails by issuing the following command (run as ‘dad’):

This should send out an email + show the connection details going back and forth. It is crucial that this step works.


On openSUSE, you can add custom stuff to a script ‘/etc/init.d/after.local’ which is run after a runlevel has been reached.

This script checks for the custom boot parameter ‘start_rescue_ssh’, if that is found it starts the SSH-server and sends an email from ‘dad@provider.com’ to ‘son@somewhereelse.com’ containing information about dad’s current IP address and how to connect.

The ‘shared’ option allows for shared desktop experience, when ‘dad’ is logged in.
The ‘stand-alone’ option works if dad is not logged in or no X server is running.

If WiFi + networkmanager is used, you may have to set the WiFi-connection to ‘system’, to make sure it is up and running, even if no user is logged in!

Use with extreme caution, test test test !

As I’m not so sure how accurately the scripts are reproduced on this web-page, please make sure to download on github instead!

Make sure to read part 2 and 3, which will re-visit this topic and add a few improvements here and there.

This entry was posted in Computer / Server and tagged , , , . Bookmark the permalink.