“Easy” remote-admin — take 2

In my previous post I described a method for a boot-activated remote-admin option for my parents’ computer.

On 2nd thought, it is not always a good idea to rely on changing system-wide configurations (such as sshd_config, firewall…)

In this post I’ll basically re-do the whole thing. This time an extra SSH-server is started, in addition to any existing ones, listening on a custom port + custom config options. The firewall is dealt with in the script as well.

For sake of completeness, I will repeat all steps of the previous post and expand where necessary.

I wanted and needed something simple, something that could be activated in the bootloader menu (grub 2), something that didn’t leave the machine wide-open when absolutely not needed, something that would be robust and wasn’t necessarily depending on a working GUI.


The boot-parameters that were used for the currently running kernel can be found in the file ‘/proc/cmdline’, easy to read and evaluate.


The idea is to create a custom boot-menu entry for the Linux machine and adding a keyword of choice as a boot-parameter.

On openSUSE one can add custom grub2 stuff to /etc/grub.d/, e.g. in a file named ’50_rescue_ssh’. The idea is to use an existing menu-entry from the grub2 config file (see /boot/grub2/grub.cfg) as a template.

On 13.2, you’ll find an entry similar to the following in ‘/boot/grub2/grub.cfg’:

Copy this section to ‘/etc/grub.d/50_rescue_ssh’, and make it look something like the following. Note, the new name, added kernel parameter, modified initrd/vmlinuz lines, removed ‘resume’. The version-less links to initrd/vmlinuz should always be present and link to the current kernel used. Make sure the file permissions and ownership are the same as all the other files in that folder.

Once that is done, run ‘grub2-mkconfig > /boot/grub2/grub.cfg’ to update grub2. If you reboot now, there should be an additional boot option named ‘Rescue SSH’ in grub2’s boot menu, which should start up normally (but without resume).

With this modified menu entry running, the parameter ‘start_rescue_ssh’ will show up in ‘/proc/cmdline’, ready for further evaluation.


To make use of the SSH-server, we need to activate port-forwarding in the router that connects to the ISP. Please refer to the manual of said device. Usually it is quite easy to do. The standard SSH-port is 22, which is occupied by the standard SSH-server. Choose something else, maybe 66.

Adapting the firewall to allow incoming traffic is handled by a script, which we will take a look at further down.

To prepare for password-less logins using a public key, the remote user must transfer his public key (e.g. ‘id_rsa.pub’) to the local account to be logged into.

The remote user ‘son’ wanting to log in to the local account ‘dad’ must append his public key ‘son@gamer:/home/son/.ssh/id_rsa.pub’ to ‘dad@mozart:/home/dad/.ssh/authorized_keys’.

This can be done in two ways. Either manually copy/append the contents of ‘id_rsa.pub’ (sun@gamer) to ‘authorized_keys’ (dad@mozart), or use the tool ‘ssh-copy-id’. For the latter option, the standard SSH-server on @mozart must be up and running (port 22).

Password-less login to ‘dad@mozart’ should work now.

An additional SSH-server will be started by a script after booting. It will make sure the SSH-server is configured in such a way that it only allows public-key authentication for normal users. Root login will be rejected.

4) EMAIL CONFIGURATION – works with YAHOO and another provider

To make sure that dad’s machine @mozart can send out emails using his usual email account, some modifications to ‘/home/dad/.mailrc’ are necessary.

You can test outgoing emails by issuing the following command (run as dad@mozart):

This should send out an email + show the connection details going back and forth. It is crucial that this step works. If it doesn’t work, make sure that ‘.mailrc’ has correct ownership and permissions: dad.users 600 (rw——-).


On openSUSE, you can add custom stuff to a script ‘/etc/init.d/after.local’ which is run after a runlevel has been reached.

This script checks for the custom boot parameter ‘start_rescue_ssh’, if that is found it starts an additional SSH-server (in this case listening on port 66), configured to only allow public-key logins for non-root users, and sends an email from ‘dad@provider.com’ to ‘son@somewhereelse.com’ containing information about dad’s current external IP address (router with enabled port-forwarding) and how to connect.

A ‘hole’ is punched into the firewall by inserting an appropriate rule at the beginning of the INPUT chain, which should be compatible with running firewalls. Appending that rule at the end might not work, if the last entry of the chain is equivalent to ‘deny all’ or ‘drop all’.

If the email gets through, it should look this this:

The ‘shared’ option allows for shared desktop experience, when ‘dad’ is logged in.
The ‘stand-alone’ option works if dad is not logged in or no X server is running.

Once the ssh connection is up, run the ‘vncviewer’ line for a graphical user interface. If you just need a console login, connect with ssh as usual (skip -t -L … ‘x11vnc…’).

If WiFi + networkmanager is used, you may have to set the WiFi-connection to ‘system’, to make sure it is up and running, even if no user is logged in!

Use with extreme caution, test test test !

Download here.

This entry was posted in Computer / Server and tagged , , , , , , , , . Bookmark the permalink.