How to share a terminal session over ssh

Note: Due to changes in screen, this tutorial is outdated for Ubuntu 9.04 , Jaunty. I posted an updated tutorial here.

This how to will explain how to use screen to allow a shared terminal session over a ssh connection. This may be helpful if you wish to teach the Linux command line and can be used in concert with IRC.

The impetus for this how to is the desire for the Ubuntu Forums Beginners Team to facilitate learning the command line during IRC Classroom sessions.

This how-to will use two accounts :

guru – the master or teaching account. This account owns the screen session. Only the guru account will be able to enter commands into the shared screen session.

guest – the guest account may log in over ssh and will automatically attach to the shared session. You may have multiple people log into the guest account from multiple ip addresses (locations) simultaneously.

The shared session will be “read only” meaning the guest(s) will be able to observe commands, and the output, but not enter commands. The account running the screen session (both setting up and entering commands) will be “guru”.

Configure the guest account

Make the following files in /home/guest owned by root.guest

.bash_login
.bash_logout
.bash_profile
.bashrc
.profile

Permissions of the above files are 640

Make the contents of .bash_profile read something like :

trap “” 2 3 19 # *try* to stop user getting to shell
clear
BLUE=’e[0;34m’
RED=’e[0;31m’
GREEN=’e[0;32m’
echo -e “${BLUE}” “Welcome to the UFBT ssh session”
echo
echo -e “${BLUE}” “This session is “read only”"
echo -e “${BLUE}” “You will see commands and the output …”
echo -e “${BLUE}” “But you will NOT be able to enter commands”
echo -e “${BLUE}” “of your own.”
echo
echo -e “${RED}” “To exit this session, just close your terminal”
echo
echo -e “${GREEN}” “Press Enter to continue…” && read
screen -x guru/lesson
exit

Make the contents of .bash_login, .bashrc, and .profile read :

. ./.bash_profile

Make /home/guest owned by root.guest

sudo chown root.guest /home/guest

Now make home directories “private”

Permissions of /home/guest (and any other /home directory) are 750

sudo chmod 750 /home/guest
sudo chmod o-rx /root

Now we will further restrict the guest with AppArmor. To do this we will make a restricted shell “jailbash” and use this as the default shell for the guest account. The idea of jailbash is to restrict the very public guest account in the unforeseen event a cracker misuses the account and obtains a shell.

(BIG thank you to jdong for teaching me this).

First make a (hard) link

ln /bin/bash /usr/local/bin/jailbash

Now we need an apparmor profile for /usr/local/bin/jailbash

The one I am using is modified from jdong :

#include <tunables/global>
/usr/local/bin/jailbash {
#include <abstractions/base>
#include <abstractions/consoles>
capability setuid,
owner /etc/passwd r,
/home/guest/ r,
/home/guest/** r,
/lib/terminfo/** r,
/proc/*/stat r,
/tmp/** r,
/usr/bin/clear rix,
/usr/bin/screen rix,
/usr/local/bin/jailbash r,
owner /var/run/* r,
owner /var/run/screen/** rw,
}

The capability setuid is necessary to connect to the guest screen.

Save that profile as /etc/apparmor.d/usr.local.bin.jailbash

Then

sudo /etc/init.d/apparmor restart
sudo aa-enforce /usr/local/bin/jailbash

With that , the guest account should be all set.

Again, thank you to jdong for sharing his jailbash Apparmor profile.

Edit: The reason I used AppArmor rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 minutes.

This Apparmor profile is quiet restrictive and allows minimal access for the guest to access the shared screen session.

For additional information on AppArmor, see my post on the Ubuntu forums

Configure screen (must run with SUID bit set)

sudo chmod +s /usr/bin/screen
sudo chmod 755 /var/run/screen

Configure ssh keys

The use of ssh keys allows you to prevent your ssh server from becoming abused.

Make a key for the guru and guest accounts.

Copy the keys to the server in ~/.ssh/authorized_keys

Make the keys owned by root.guest and root.guru respectively (permissions 640)

Now edit the keys, at the very beginning of the line, add the following (for both guru and guest):

command=”/usr/local/bin/jailbash”,no-port-forwarding,no-agent-forwarding,no-X11-forwarding

If you do not understand this, see my blog on svn+ssh.

Start a shared session

Begin by logging into the ssh server as “guru” and start a screen session :

screen -S lesson

NOTE: It is critical to name the screen session the same as in /home/guest/.bash_profile
“screen -x guru/lesson”

Once the screen session has started enter commands with C-a:
NOTE: C-a is an abbreviation for the key combination Control-a
so, hit C-a, then :  then the command.

C-a:multiuser on
C-a:acladd guest
C-a:aclchg guest -wx “#,?”
C-a:aclchg guest +x “colon,wall,detach”

By default screen will give a visual flash when guests attempt to enter commands. Although cute, it is confusing to guests and gets annoying fast.

To disable the “flash” disable the vbell in screen, as guru,

C-a C-g

That is short hand for control key + a and control key + g and is a toggle (same sequence a second time re-activates it). The only “problem” with this is you then get an audible bell, or beep. To disable this see This link.

To log a screen session use

C-a H

This key sequence turns logging on and off and the output is ’screenlog.x’ where x = the number of your current window.

Guests can attach to the screen session with :

ssh guest@host -i /home/.ssh/guest-ssh-key

Note: They still need to enter the guest ssh key password.

Guests can detach with c-a d (Control-a d)

The user guru can see a list of attached guests with :

C-a:displays

guests and the guru can communicate via IRC (or wall).

Example of using wall :

C-a:wall “message in quotes”