logicnow / bluesky Goto Github PK
View Code? Open in Web Editor NEWAn SSH tunneling solution for remote Mac-to-Mac connectivity (formerly a Mac-MSP product)
License: Apache License 2.0
An SSH tunneling solution for remote Mac-to-Mac connectivity (formerly a Mac-MSP product)
License: Apache License 2.0
apache is memory and resource heavy - would be great to replace with nginx.
we could also maybe build in lets encrypt? (wishful thinking)
For example, .technology TLDs are not accepted. I see that there is an email validation filter in php that would work for this case:
filter_var($email, FILTER_VALIDATE_EMAIL)
but it won't recognize the default case of root@localhost.
need to look into having our scripts check permissions on .ssh folders etc better.
This is not a bug - just feedback how I use BlueSky.
Since I add the admin-Mac's id_rsa.pub to the clients authorized_keys via Munky, I do not want that dialog to appear before ScreenSharing opens:
so I added a repeat loop, that checks if the vnc port is already available via nc - and then proceed without dialog
on screen_share(blueSkyID, sshPort, vncPort, serverAddr, userName)
set vncCheck to do shell script "ps -ax | grep ssh | grep " & vncPort & " | grep -v grep;exit 0"
if vncCheck is "" then
tell application "Terminal"
activate
do script "ssh-keygen -R \\[localhost\\]:" & sshPort & "; ssh -t -o \"ProxyCommand ssh -p 3122 -i ~/.ssh/bluesky_admin admin@" & serverAddr & " /bin/nc %h %p\" -o \"LocalForward " & vncPort & " localhost:5900\" -o \"StrictHostKeyChecking=no\" -p " & sshPort & " " & userName & "@localhost"
set current settings of selected tab of window 1 to settings set "Bluesky"
end tell
repeat 20 times
do shell script "sleep 1"
try
set vncCheck2 to do shell script "nc -zv 127.0.0.1 " & vncPort & " 2>&1 | grep refused"
on error
exit repeat
end try
end repeat
end if
do shell script "open vnc://" & userName & "@localhost:" & vncPort
end screen_share
(I have a Terminal.app Preset called "Bluesky" to quickly identify all open tunnels beside my other terminal windows)
(ssh-keygen -R \[localhost\]:" & sshPort & "; is just there, because I am transitioning to new blueSkyID's .. see below)
And then I have 2 instances of BlueSky - my own & one at a customer.
So I changed the URL bluesky://com.solarwindsmsp.bluesky.admin to bluesky://INSTANCE-NAME.admin
That enables to set the server name based on the site I use
The blueSkyID + 1500 enables to have different VNC passwords stored in keachain
--set_server()
if this_URL begins with "bluesky://INSTANCE-NAME.admin" then
set serverAddr to "<First Server's DNS>"
set blueSkyID to blueSkyID + 1500
else
set serverAddr to "<Second Server's DNS>"
end if
Thx - BlueSky is a gret project!!
Maybe these ideas fit for someone else too
To reproduce:
This is what appears in the apache error.log:
PHP Fatal error: Uncaught Error: Call to undefined function simplexml_load_string() in /usr/local/bin/BlueSky/Server/html/admin/pageHome.php:116\nStack trace:\n#0 {main}\n thrown in /usr/local/bin/BlueSky/Server/html/admin/pageHome.php on line 116
BlueSky/Server/html/admin/pageHome.php
Line 116 in d435f66
Early tests show a good tunnel established on Mojave beta 7
emailHelper always fetches the "To:" address from global. Processor looks up the individual notification email address from each computer record (because it used to do the email in 1.5) but doesn't pass it on to the emailHelper.
Line 140 in d435f66
Line 149 in d435f66
i have been testing a build in which the above lines have -o ConnectTimeout=10
added to the command. this should allow for the processor to exit out quicker than it does right now. i had been noticing that the number of processes running on my bluesky server is very high because it is trying to check dead connections. any thoughts on this? dont want to submit a PR until it is discussed.
Line 162 has:
cp /var/bluesky/com.solarwindsmsp.bluesky.plist /Library/LaunchDaemons/com.solarwindsmsp.bluesky.helper.plist
Should the cp not have com.solarwindsmsp.bluesky.helper.plist
?
Installing the agent on a virgin install that doesn't have SSH enabled, helper.sh is trying to use systemsetup
to enable ssh but Apple has nerfed it:
root@users-Mac ~ # systemsetup -setremotelogin on
setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges.
π π
Sooooo a couple ways to address that I can think of:
Do it the Apple way and change nothing, hope that there's some manual config to enable SSH and/or MDM has given systemsetup
FDA rights. Since this kinda the only way to get ScreenSharing enabled, it wouldn't be unheard but it would be nice to at least get SSH always.
Add a provision to helper.sh around line 129 that if we're running on 10.15, try this instead:
/bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist
Still seems to work.
I'd vote option 2 as something is better than nothing and it's a pretty easy workaround to code. I wanted to take public temperature before take the time to send up a PR if anyone can think of a better route.
Im not familiar with appgini - although i suppose i could take a look... was wondering if we could set a timezone to use for the display of dates within the dashboard. currently last check in date etc is in UTC.
On line 34, the end quote of the echo'd warning is a funky double quote, causing an unexpected EOF while looking for matching `"'
admin-wrapper.sh is reading /var/log/auth.log to collect info for recording admin activity in the connections mySQL table. There is a column to capture which key is being used (i.e. which admin is doing the connecting) but first we need to use the SHA2 fingerprint from auth.log to lookup which key from /home/admin/.ssh/authorized_keys is being used, and then put the key comment (which is the description made by the user via Admin Setup) in the column.
When I am notified of a machine coming back online - I get a link like this is the email. It doesnt work :/
https://bluesky.XXXXXXX.com/blu=144
link domain sanitized.
For the purposes of diagnostics and 3rd party integrations:
Storing the agent's current version number on disk would be useful.
Perhaps in key within /var/bluesky/settings.plist
client-config.sh needs to be updated to look like this:
hostKey=`ssh-keyscan -p 3122 -t ed25519 localhost | awk '{ print $2,$3 }'`
hostKeyRSA=`ssh-keyscan -p 3122 -t rsa localhost | awk '{ print $2,$3 }'`
There's additional whitespace and possibly a carriage return/newline in
do shell script "echo 'Host " & serverAddr & " UseKeychain yes' >> ~/.ssh/config"
that renders ~/.ssh/config file unusable, causing ensuing ssh (outgoing) connections to fail.
The resulting config file shows the following which should of course all be on one line:
Host XX.ip.address
Use Keychain yes
The problem might only occur if said file already has an entry.
Consider this an enhancement requestβ¦
In reading the man page for ssh-copy-id
, I found this tidbit:
N.B. the modern approach is to use the -W option, rather than nc
I don't know if this has any other benefits (or drawbacks), but it does eliminate a dependency on nc
.
To implement this, the connect.applescript would need to replace all instances of /bin/nc %h %p
with -W %h:%p
.
admin-wrapper.sh also references /bin/nc
, but I'm less sure how best to change that. Maybe that testCmd could be eliminated altogether.
Just something to think about.
Line 188 currently has:
cp /usr/local/bin/sendmail-whois-lines.conf /etc/fail2ban/action.d/sendEmail-whois-lines.conf
The "sendmail-whois-lines.conf" should be "sendEmail-whois-lines.conf"
If you don't change that value, you will get this error in the script output:
cp: cannot stat '/usr/local/bin/sendmail-whois-lines.conf': No such file or directory
could you elaborate on the function of the file at:
/usr/local/bin/BlueSky/Server/defaultLogin.txt
it is referenced in code yet not in docs or normal setup. thx!
One some 10.13 clients it seems the tunnel is established from the client to the server, but the server fails the PKI stage when trying to get back through the tunnel to the client. Some theories are that this affects fresh installed 10.13 clients (non-upgrades) and perhaps Apple has added some level of security to not allow this hidden bluesky user that has no password to only auth via PKI.
Hard to track down.
Not sure how to do PR's to wiki pages :) the getting started page has 2 typos:
https://github.com/logicnow/BlueSky/wiki/Getting-Started
The 2 paths that reference the /usr/local/Bluesky/Server directory do not have "Server" with the initial cap.
sudo /usr/local/bin/BlueSky/server/server-config.sh
sudo /usr/local/bin/BlueSky/Server/server-config.sh
Also, you may want to configure /usr/local/bin/BlueSky/server/emailHelper.sh
with your preferred SMTP setup so that the server can email you notifications, alerts, and Fail2ban alerts.
Also, you may want to configure /usr/local/bin/BlueSky/Server/emailHelper.sh
with your preferred SMTP setup so that the server can email you notifications, alerts, and Fail2ban alerts.
VMWare sometimes creates some odd serials with slashes and pluses in it. We should account for that when we pass data from the client to the server etc.
Since Ubuntu 18.04 uses PHP 7.2, php-crypt has been removed. See:
dont seem to be working for me anymore :/
BlueSky 2.0 changed the SSH keys from rsa to ecdsa-sha2-nistp256. This means that only 10.11 and higher can run it.
10.6 - 10.10 will error on reKey sequence when trying to generate keys and do so every time launchd fires it.
The additional enforcement of certain ciphers and MACs may also break compatibility with OS X's earlier OpenSSH builds. Need to evaluate the security implications of bringing back rsa on older versions.
I'm running the docker build and if I pass in an SSL cert/key for Apache (SSL_CERT/SSL_KEY), then the certs needed for Bluesky admin and client are not created.
The problem occurs in client-config.sh lines 40β52:
if [ "$(find /certs -maxdepth 1 -type f -not -path '*/\.*')" ]; then
# fixup files
echo "Putting the provided ssh keys in place..."
ln -fs /certs/blueskyclient.key /usr/local/bin/BlueSky/Server/
ln -fs /certs/blueskyclient.pub /usr/local/bin/BlueSky/Client/
ln -fs /certs/blueskyadmin.key /usr/local/bin/BlueSky/Server/
ln -fs /certs/blueskyadmin.pub /usr/local/bin/BlueSky/Admin\ Tools/
ln -fs /certs/blueskyd.pub /usr/local/bin/BlueSky/Server/
ln -fs /certs/blueskyd /usr/local/bin/BlueSky/Server/
else
echo "fresh docker container - lets rebuild keys..."
IN_DOCKER_FRESH=true
fi
Basically, any file in the certs directory satisfies this find, so IN_DOCKER_FRESH
is never set to true.
One possible solution would be to add -name 'bluesky*'
to that find, but that doesn't take into account that my apache cert might be named "bluesky_ssl.pem". Another would be to add variables to explicitly specify the existing bluesky keys. Or maybe there's another, better solution.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.