Pair Sessions Script Adding more security (automatically timeout sudo, append the command to each ssh key

README.md

My script for pair sessions on my box.

What it does

• downloads the appropriate ssh keys from github
• copies the appropriate 'ssh pair@your-external-ip' command to your clipboard (see Note #1)
• sets up the tmux session
• cleans up the session, and the keys after it's done

How to use

First, brew install tmux

Then you type:

pair-session marksim

After that, just hit paste into your pair's chat window and voila, they ssh in and are automatically connected via tmux.

Issues

1. If you are running linux, you can easily alias pbcopy and pbpaste like so: http://whereswalden.com/2009/10/23/pbcopy-and-pbpaste-for-linux/

pair-session.sh

#!/bin/sh
if [[ $# -eq 0 ]] ; then
  echo "Usage: $0 [tmux-session-name] github-username [github-user-name [...]]"
  exit 0
fi

# *************************** SETUP ****************************
# Find the LAN IP, the External IP, and the pair users's group
INTERFACE=$(netstat -rn -f inet | grep default | awk '{print $6}') 
LAN_IP=$(ipconfig getifaddr $INTERFACE) 
EXTERNAL_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
GROUP=$(id -g pair)

if [ -e /tmp/$1 ]; then
  SESSION=$1
else
  SESSION='pairing'
fi

sudo mkdir -p ~pair/.ssh
sudo chown pair:$GROUP ~pair/.ssh
sudo touch ~pair/.ssh/authorized_keys
# Download the public keys to the pair user
for username in "$@"
do
  SSH_KEYS_STRING=$(curl https://github.com/$username.keys)
  sudo bash -c "echo '$SSH_KEYS_STRING' >> ~pair/.ssh/authorized_keys" 
done
TMUX=$(echo `which tmux` | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/&/\\\&/g')
sudo sed -i -e "s/^/command=\"$TMUX -S \/tmp\/$SESSION attach -t $SESSION\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding /" ~pair/.ssh/authorized_keys
sudo chown pair:$GROUP ~pair/.ssh/authorized_keys

# Copy the ssh command to the clipboard - OS X specific
echo "ssh pair@$EXTERNAL_IP" | pbcopy
sudo -k

# ************************** PAIRNG ****************************
function setup_session {
  tmux -S /tmp/$SESSION new -ds $SESSION && chgrp $GROUP /tmp/$SESSION && tmux -S /tmp/$SESSION attach -t $SESSION
}
tmux -S /tmp/$SESSION attach -t $SESSION || setup_session

# ************************** CLEANUP ***************************
# Cleanup keys
sudo rm -f ~pair/.ssh/authorized_keys
sudo -k

Anyone know a more reliable / less brittle way to get your local IP without installing another dependency?

I'd start with the routing table: netstat -rn -f inet From there you get the interface with the default gateway then use what you have to get the IP.

Another suggestion would be to use something like localtunnel.com instead and avoid port forwarding and figuring out IP addresses. If you don't mind installing the localtunnel gem then you don't need to punch any holes in the firewall, it's all done with SSH port forwarding and a remote service.

Thanks for the netstat - that does make it less brittle. Still have to parse ifconfig, but it's better than it was.

localtunnel.com seems like it is meant for http forwarding and might not work for ssh... is that just because of their example use cases?

Ah, facepalm. It's HTTP only, uses the host header to figure out which tunnel to use. The login banner I got when I connected to port 22 is from the server itself. Wishful thinking on my part.

Reverse ssh tunnelling would have made this a lot easier :(

Great script, Mark. I made a small change as I didn't like the idea of leaving port 22 open to the public internet. I know it's not a great measure of protection, but obfuscating the ssh port seemed like a very easy way to hopefully avoid unwanted attention from scanners during the pair session.

https://gist.github.com/kmeister2000/5935441

The script depends on sudo useradd pair having been run