1
Before I start, I'd like to say that what I'll describe here is being done using consumer grade electronics and personal computers, not proper server hardware.
My Windows 10 machine runs a Minecraft Server inside Command Prompt window via a Batch script.
I start the batch script to start the Server then I type stop inside the window to tell Minecraft to save data and stop the server safely, which will subsequently cause the Batch script to stop and the window to close.
The other administrators and I want to be able to control this server remotely, preferably via either SSH or Telnet, whichever is easier to set up. I want to give the admins 100% trust over the Minecraft Server (meaning the shell of the server, during the bat file execution), but no more than that i.e. I don't want them to be allowed to access my Windows PC command-line outside the batch shell, which they should be authorized to interact with via SSH/Telnet as described before.
Hence, a session should look like, for example:
## they connect
> gamemode 0 someone
[timeanddate] timeanddate [Server]: Set gamemode for player someone to survival
> stop
[timeanddate] timeanddate [Server]: Saving chunks... (et cetera)
## session ends, they get disconnected
This means they should not be able to access the Windows CMD except for that specific process, if it exists (sometimes server is down for maintenance and stuff).
Would it be possible to do such a thing? If yes, how?
Manchineel
Posted 2017-11-22T14:00:07.660
Reputation: 479
You might have to get creative here and restrict and make the batch do a self check or something when it runs with a loop and wait or pause every so many seconds. You then give the SSH account that authenticates access to only delete or create a file in the same folder (home folder) and only folder it has access. You then have them simply use the commands to delete or create the file, and the batch script will check every one minute, etc. and it does or does not exist, stop or start based on that and have them have a way to check if it's running or not externally from that from another machine – Pimp Juice IT – 2017-11-23T17:36:34.707
Check out this post where this person controlled batch script logic based on condition of file existing or not and it doing whatever based on how that logic is put together. https://superuser.com/questions/1242506/trigger-an-action-on-a-windows-machine-from-an-android-phone-via-network/1243112#1243112. You would obviously put a simple loop check in the batch rather than using Task Scheduler I suppose unless you want to use Task Scheduler and have it check every 1 minute, etc.
– Pimp Juice IT – 2017-11-23T17:43:40.457@TheFurryITSnuggleBuddy but how would I have the user connect to SSH, then have immediate access to the screen of the process and, once he/she either disconnects or the process ends, close the connection without allowing them to control the machine any further? And most importantly, once they do disconnect, how would they resume the session (in Linux I'd have used 'screen' for instance – Manchineel – 2017-11-26T14:52:47.630
I don't have time to test anything to tell you with 100% certainty that such a solution would or would not work, but I was just giving that as an example of something to consider, play with, test, etc. if you have time & think it's worth the effort. I suppose consider putting the batch logic in place to take the appropriate action based on a file being there or not & starting the session. Perhaps it would not be 100% SSH or they'd have to access SSH 1 connect to do something with the file, and then SSH 2 connection based on whatever you did with the file, etc. in SSH 1 to establish the other. – Pimp Juice IT – 2017-11-26T16:14:04.573
Get creative if you have time and test some of the idea out but you'd likely need "another" process running that checks to connect a session (you can then connect to), disconnect a session, etc. so you can "resume" the session. You are using Windows 10 and batch so perhaps you could use task scheduler and schedule something to check every 1 minute, 5 minutes, etc. based on whether or not a file is where the logic checks for it. I'm sure I could get something to work and write up a solid answer but I don't have time to do so right now. – Pimp Juice IT – 2017-11-26T16:16:02.290
Would using PowerShell remote sessions help? @TheFurryITSnuggleBuddy – Manchineel – 2017-11-27T12:35:52.913
It might but I just cannot confirm myself but anything you read up on that seems like it may fit your need, I would definitely take a stab at doing some quick testing. I'm not sure about the requirement regarding the restriction of the terminal window being confined to only batch script or whatever so that seems like the tricky part to me why I suggested thinking creatively or having another process that controls to allow something to either START or STOP and maybe have the batch terminal log to a file that others have read access. Probably many ways to go about it just short on time still. – Pimp Juice IT – 2017-11-27T17:35:28.307
1So while you can grant them read access to a log and access to delete or create a file only in one folder, then maybe you could get the expected result sort of in a workaround type way. I may be overthinking too which would not surprise me. If I get time later in the week after this huge database project I'm working on concludes if you don't have something by then. If you make any progress, please let me know what you determined with anything whether it is full working, half way working or whatever. – Pimp Juice IT – 2017-11-27T17:37:53.563
@TheFurryITSnuggleBuddy thank you very much. I'll be experimenting with PowerShell – Manchineel – 2017-11-27T21:32:56.830
Any news on your solution by chance? – Pimp Juice IT – 2017-12-14T23:33:27.823
@ITSnuggles sorry, I've experienced a drive failure in the meantime. I'm almost done recovering data and configuration – Manchineel – 2017-12-16T11:11:53.700