Running sshd on an AppVM
37 views
Skip to first unread message
tetra...@danwin1210.me
Feb 17, 2020, 3:17:40 AM2/17/20
to qubes...@googlegroups.com
I need to set up a reverse SSH tunnel -- where a remote machine, behind a
firewall, connects to my local machine, running sshd.
The documentation for exposing a VM port to the outside world is clear
enough.
But sshd doesn't appear to be installed on any template, nor does it
appear to be installable (`dnf search sshd` only returns apache-sshd).
No documentation mentions sshd. There are references to sshd in the
qubes-users archive that indicate sshd used to be available. But it
seems to be no longer available.
How do I set up an SSH server on my AppVM?
firewall, connects to my local machine, running sshd.
The documentation for exposing a VM port to the outside world is clear
enough.
But sshd doesn't appear to be installed on any template, nor does it
appear to be installable (`dnf search sshd` only returns apache-sshd).
No documentation mentions sshd. There are references to sshd in the
qubes-users archive that indicate sshd used to be available. But it
seems to be no longer available.
How do I set up an SSH server on my AppVM?
dhorf-hfre...@hashmail.org
Feb 17, 2020, 3:28:42 AM2/17/20
to tetra...@danwin1210.me, qubes...@googlegroups.com
On Mon, Feb 17, 2020 at 08:16:32AM +0000, tetrahedra via qubes-users wrote:
> But sshd doesn't appear to be installed on any template, nor does it
> appear to be installable (`dnf search sshd` only returns apache-sshd).
the pkg is called "openssh-server".
> But sshd doesn't appear to be installed on any template, nor does it
> appear to be installable (`dnf search sshd` only returns apache-sshd).
after installing it in the template, i recommend to
"systemctl disable sshd" in the template (so it wont run in all appvms).
note you may need some appvm-rc.local addon to keep a static
host key with your appvm:
cp -pf /rw/sshd/* /etc/ssh/
chgrp ssh_keys /etc/ssh/*key
> How do I set up an SSH server on my AppVM?
this and have a qubes-rpc service that basicly just does
"exec sudo sshd -i" in the target vms, then do a socat/systemdsocket
bounce to the rpc service straight from sys-net.
that way the "messing with firewalls" is limited to exactly one INPUT
rule in sys-net, plus one qubes-rpc policy, and there are no
perma-running services in the target vm at all!
tetra...@danwin1210.me
Feb 17, 2020, 4:00:06 AM2/17/20
to qubes...@googlegroups.com
On Mon, Feb 17, 2020 at 08:16:32AM +0000, tetrahedra via qubes-users wrote:
the package is `openssh-server` (on both Fedora and Debian). It looks
like only debian's `apt-search` will search the binary names, fedora's
`dnf search` appears not to.
dhorf-hfre...@hashmail.org
Feb 17, 2020, 4:03:30 AM2/17/20
to tetra...@danwin1210.me, qubes...@googlegroups.com
On Mon, Feb 17, 2020 at 08:59:18AM +0000, tetrahedra via qubes-users wrote:
> like only debian's `apt-search` will search the binary names, fedora's
> `dnf search` appears not to.
dnf whatprovides sshd
> like only debian's `apt-search` will search the binary names, fedora's
> `dnf search` appears not to.
tetra...@danwin1210.me
Feb 24, 2020, 10:00:07 AM2/24/20
to dhorf-hfre...@hashmail.org, qubes...@googlegroups.com
tetra...@danwin1210.me
Feb 24, 2020, 10:01:59 AM2/24/20
to dhorf-hfre...@hashmail.org, qubes...@googlegroups.com
On Mon, Feb 17, 2020 at 09:28:37AM +0100, dhorf-hfre...@hashmail.org wrote:
>> How do I set up an SSH server on my AppVM?
>
>i deviate from the regular "how to do portforwards with qubes" for
>this and have a qubes-rpc service that basicly just does
>"exec sudo sshd -i" in the target vms, then do a socat/systemdsocket
>bounce to the rpc service straight from sys-net.
>that way the "messing with firewalls" is limited to exactly one INPUT
>rule in sys-net, plus one qubes-rpc policy, and there are no
>perma-running services in the target vm at all!
Very nice!
>> How do I set up an SSH server on my AppVM?
>
>i deviate from the regular "how to do portforwards with qubes" for
>this and have a qubes-rpc service that basicly just does
>"exec sudo sshd -i" in the target vms, then do a socat/systemdsocket
>bounce to the rpc service straight from sys-net.
>that way the "messing with firewalls" is limited to exactly one INPUT
>rule in sys-net, plus one qubes-rpc policy, and there are no
>perma-running services in the target vm at all!
Steve Coleman
Feb 24, 2020, 10:48:59 AM2/24/20
to qubes...@googlegroups.com
On 2/24/20, tetrahedra via qubes-users <qubes...@googlegroups.com> wrote:
> On Mon, Feb 17, 2020 at 10:03:26AM +0100, dhorf-hfre...@hashmail.org
> wrote:
>>On Mon, Feb 17, 2020 at 08:59:18AM +0000, tetrahedra via qubes-users
>> wrote:
>>> like only debian's `apt-search` will search the binary names, fedora's
>>> `dnf search` appears not to.
Fyi - The dnf command does search for binaries, but you need to use
> On Mon, Feb 17, 2020 at 10:03:26AM +0100, dhorf-hfre...@hashmail.org
> wrote:
>>On Mon, Feb 17, 2020 at 08:59:18AM +0000, tetrahedra via qubes-users
>> wrote:
>>> like only debian's `apt-search` will search the binary names, fedora's
>>> `dnf search` appears not to.
the full path, or a wildcard path, for it to work correctly.
e.g.
$ sudo dnf search '*/sshd'
will return the package that will install the 'sshd' binary.
Reply all
Reply to author
Forward
0 new messages