This is provided as-is. Basically to document for my self in case I ever need to do it again. It solved a need for me to be able to gain access to a remote machine over 450 miles (~720km) and reset the admin password for a family member that didn't have any other way to get into their machine.
Big thanks to @slai's blog post: https://slai.github.io/posts/customising-ubuntu-live-isos-with-docker/ was what you can tell was the building blocks to make this happen via docker which I thought was an interesting way to script the adjustments to the squashfs in a familiar way.
Some disclaimers:
- Only tested creation on ubuntu
- Several security concerns.. this should be a quick use sort of thing not a permanent setup.
- Expects they can hardwire via ethernet to router and have DHCP on router
We need to generate a pre-shared key
ssh-keygen -t rsa -f baked-in-key
Now we need to a few things.
- Install some dependencies
- Download the Ubuntu 20.04 server iso
- Extract the main filesystem squashfs from the iso
- Import that filesystem into docker so we can extend it easily
./prepare.sh
Now that its loaded in to docker as ubuntulive:base we can use the Dockerfile to extend that and make modifications to it.
Once you have added any further changes you want:
docker build -t ubuntulive:image --build-arg version=0.3 .
Edit remote-recover.service and set the environment variables to point to some dns address your server will look at
Now that we have the image like we want it thanks to Docker we need to squash it back up and put it back in an ISO
./repack.sh
Create a user for them. Ideally lock the user down so they can't open a shell but can still expose their local port.
Copy the baked-in-key.pub contents into that users ./ssh/authorized_keys file and chown and chmod 0600 that file.
Now burn to CD or load on a flash drive. Found that rufus did a great job.
Pop CD or flash drive in and have them spam f12 (or the key for boot menu on that hardware)
Select the USB Storage
Once they get to the login screen.. on the VPS they are pointing to do:
ssh -i baked-in-key -p 43002 root@localhost
Now you should be able to work as if you are at the keyboard