Open greenais opened 2 years ago
As far as users and doubts about being an uncontrolled spy tool for admin... In the current agent, there is a flag that can be set on the agent side at install time (or in the config file), to force user consent to be required. This would make it so even if the server cleared the user consent flags in the configuration, the agent would override it, and still require user consent...
I forget what the flag was, but I can look it up... I suppose it would be useful to include this in the binary installer, so that there is a checkbox or something to require user consent, so when the user goes to run the agent in interactive mode, or installs the agent, it would set the bit, so that user consent would always be required.
Creating MeshCentral Assistant on Linux would be a lot of work, also capturing the screen in different Linux many different distros is a lot of effort. It's certainly something that is possible, but it's a lot of work. Using a variation of the current agent code would be best short term.
To be clear about the AV thing, the MeshAgent does not contact any server except the server it's been assigned to connect to and will only do what it's told by that server. The issue is that some are using the MeshAgent to do evil things with their own servers. Also, having the AV vendors indicate that there is a remote management agent installed on a computer is not a bad thing. Also, the MeshAgent and MeshCentral Server are completely open source and so, can be audited. We compile agent binaries directly from the public GitHub repository and anyone can do that same.
In case anyone was curious, the flag I mentioned before is LocalConsent
. So at install time, you can specify it at install time, like:
MeshAgent -fullinstall --LocalConsent=8
or it can be specified in the .msh file like:
LocalConsent=8
When specified in this fashion, when the agent runs, it will always require user consent for KVM (the 8 is a bitmask), regardless what consent values the server sends to the agent at runtime.
...so when the user goes to run the agent in interactive mode, or installs the agent, it would set the bit, so that user consent would always be required.
Is there such thing as interactive mode GUI-enabled agent in Linux, if so - how to enable it? I set user consent requirement on server side from very scratch but server still generates script which just installs agent service (always running in background) with no control from user side at all
Creating MeshCentral Assistant on Linux would be a lot of work, also capturing the screen in different Linux many different distros is a lot of effort. It's certainly something that is possible, but it's a lot of work. Using a variation of the current agent code would be best short term.
Yes, surely you (and collaborators) already did the huge job making such great solution as MeshCentral possible and free, I feel really deep respect to you, guys. But having in place already working agents for different distros - it could be much easier just to wrap them in some primitive (GTK etc) GUI or even console interface with simple user interaction (like "Press Y to start support agent and don't close this window until you finished your session") and run only by user request, not as permanent background service. Providing some kind of icon-enabled run shortcut/menuitem could be tricky as DEs quite differ, but it's surely solvable by instructing enduser in person how to create it manually in his/her environment
Interactive mode is present now. It basically just displays a dialog box with a connect button. When you click it, it runs the agent in console mode, and then shows a disconnect button. It's the same agent binary.
Interactive mode is present now. It basically just displays a dialog box with a connect button. When you click it, it runs the agent in console mode, and then shows a disconnect button. It's the same agent binary.
But how to run it? And how to tell server to generate install script without obligatory setting up permanent background service?
Interactive mode is present now. It basically just displays a dialog box with a connect button. When you click it, it runs the agent in console mode, and then shows a disconnect button. It's the same agent binary.
But how to run it? And how to tell server to generate install script without obligatory setting up permanent background service?
From the browser, select Add Agent
, then under OS, select Linux / BSD / macOS Binary Installer
, then select Linux x86-64
Then click on the download button... Then just run the binary, and it should just work... It will open a dialog box, and present an install button and a connect button if you selected Background & Interactive
, or it just a Connect Button, if you selected Interactive Only
Here is what the interactive dialog looks like, in this case it was configured as Background & Interactive
Oh, I went via "Invite" route - as it lets easily share link with distant friends. Thank you!
Unfortunately compiled binaries don't work for me:
~/meshcentral$ ./meshagent
timeout
~/meshcentral$ ./meshagent -info
Compiled on: 10:22:20, Apr 4 2022 Commit Hash: 2fc1af473a96b5ad64011fd0575cfa15ee36d769 Commit Date: 2022-Apr-2 20:45:45-0700 Using OpenSSL 1.1.1l 24 Aug 2021 Agent ARCHID: 6 Detected OS: Debian GNU/Linux 10 (buster) - x64
I tried both - "Interactive Only" and "Background & Interactive" variants, the only difference (as expected) is that B&I asks for sudo. Doublechecked against Windows Assistant - it works as ususal fine on Win7 and Win8.1 machines. What else steps should I take to troubleshoot problem?
Could it be related somehow to usage of existing Letsencrypt certs? I replaced with them webserver- ones in meshcentral-data and MC server opens now with no warnings in any browser, but when I was going via "Invite" route I had to edit install script to tell curl use --insecure option as it refused to get anything due to wrong server certificate, keeping endlessly retrying
MeshAgent -fullinstall --LocalConsent=8
or it can be specified in the .msh file like:
LocalConsent=8
Is there a place where I can see all possible agent parameters?
Would be something good to put in the docs
Oh, I went via "Invite" route - as it lets easily share link with distant friends. Thank you!
Unfortunately compiled binaries don't work for me:
~/meshcentral$ ./meshagent
timeout
~/meshcentral$ ./meshagent -info
Compiled on: 10:22:20, Apr 4 2022 Commit Hash: 2fc1af473a96b5ad64011fd0575cfa15ee36d769 Commit Date: 2022-Apr-2 20:45:45-0700 Using OpenSSL 1.1.1l 24 Aug 2021 Agent ARCHID: 6 Detected OS: Debian GNU/Linux 10 (buster) - x64
I tried both - "Interactive Only" and "Background & Interactive" variants, the only difference (as expected) is that B&I asks for sudo.
When you say it doesn't work, what does it do when you try to run it?
When you say it doesn't work, what does it do when you try to run it?
As I posted the output above: it just prints "timeout" and returns to console prompt, no GUI, no other messages. Are there any log options to investigate further?
I'll do some testing on my Buster test machine. Which window manager are you using? Normally it tries to use zenity or kdialog depending on what it detects. I've heard on some distros it didn't correctly detect zenity which might be what's going on with your system.
I'll test on a vanilla buster. If you install zenity, does it work?
Oh, also... Where are you running it from? You aren't running it from an ssh tunnel, or some other non graphical session, are you? I remember the last time I saw this issue, was because they tried to launch it from an ssh session. It needs to be launched from a graphical session, such as terminal on the actual desktop.
Which window manager are you using?
It's MATE DE, so I believe WM should be marco as soon as I didn't changed default one
I'll test on a vanilla buster. If you install zenity, does it work?
I checked - the latest available zenity 3.30.0-2 is already installed. Sure I run agent from mate-terminal in X/GUI environment
Ok, I'll set up buster with mate, and see what I find.
Ok, I setup Buster with Mate, and it seems to work fine... So let's try this:
run the following command from your Mate Terminal:
./meshagent -exec "console.log(require('user-sessions').consoleUid());process.exit();" --no-embedded=1
then subbing 1000 with whatever the UID is in the following command:
./meshagent -exec "console.log(require('monitor-info').getXInfo(1000));process.exit();" --no-embedded=1
What does it say for xauthority
and display
?
@krayon007, thank you!
run the following command from your Mate Terminal:
./meshagent -exec "console.log(require('user-sessions').consoleUid());process.exit();" --no-embedded=1
Output is:
1000
then subbing 1000 with whatever the UID is in the following command:
./meshagent -exec "console.log(require('monitor-info').getXInfo(1000));process.exit();" --no-embedded=1
What does it say forxauthority
anddisplay
?It outputs:
{ tty: ?, xauthority: /home/ais/.Xauthority, display: :0, exportEnv: function exportEnv() { [ecmascript code] }, xdm: meshagent }
Does it help? Just in case - I tried to run sudo ./meshagent => result is the same: "timeout"
How about this command:
./meshagent -exec "require('message-box').create('Title', 'Caption').finally(function() {process.exit();});" --no-embedded=1
Does that show a dialog box?
what if you just do:
echo $DISPLAY $XAUTHORITY
./meshagent -exec "require('message-box').create('Title', 'Caption').finally(function() {process.exit();});" --no-embedded=1
Does that show a dialog box?
Yes, with "Title" header, "Caption" text and two buttons "Yes", "No"
.
what if you just do: echo $DISPLAY $XAUTHORITY
output is
:0 /home/ais/.Xauthority
Ok, so that means the underlying plumbing works correctly on your system. Something in the detection logic is screwing up. Let me get back to you with some other things you can try, so we can figure this out.
An UPDATE: I tested precompiled agent binary on several Debian 10 MATE systems (64 and 32 bit) and it seems that "timeout" issue appears only there - when run in LXDE (64) environment dialog window came up and I successfully tested connection.
@krayon007 you confirm that in your tests agent works in MATE, could be our versions different somehow? All systems I tested with are fresh-updated despite they are Debian 10 ones
Ok, try this command, and let me know the output.
./meshagent -exec "console.log(require('message-box').kdialog, require('message-box').zenity, require('message-box').zenity.extra);process.exit();" --no-embedded=1
On my MATE/Buster system, this is the output:
undefined, { path: /usr/bin/zenity, timeout: true }, true
THe same ouputs in mine:
undefined, { path: /usr/bin/zenity, timeout: true }, true
Ok, how about this command:
./meshagent -exec "require('message-box').create('Test', 'Message', 9999, ['Button1', 'Button2', 'Button3']).finally(function () { process.exit() });" --no-embedded=1
Immediately shows box titled "Test" with "Mesage" content and three buttons on the bottom. BTW, if it could help - I'm ready to arrange live session giving you access to affected MATE system via TeamViewer, just let me know. Thank you again for your inestimable support.
That would be super useful. So far I have no idea why it's not working on your system, as everything appears like it works, so not sure what's going on. Debugging it live, might be the only way to get to the bottom of this.
You can email me the details, by clicking on my profile.
e-mail sent, thank you!
Is there any chance that Assistant for Linux will show up? Things with AV compliance and family/friends support became really a lot easier after introducing Assistant which dissolved any doubts in MC as uncontrolled by user spy tool for admin. But only for Windows to the moment, which is very pity...