Remote Control Question

63 views
Skip to first unread message

Stuart Perkins

unread,
Apr 28, 2018, 8:50:21 PM4/28/18
to qubes-users
Hi list.

I'm considering setting up Qubes capable server at my home. What I need, however, is to be able to remotely control it. Updates...reboot/stop/start system and app vm's etc. Is this even possible with Qubes? I currently run a Ubuntu powered old laptop as a "server" and have it hosting a couple of VM's with virtualbox. I can ssh into it and even have an sshuttle setup for VPN over SSH functionality for when I need to do something "gui" remotely. One of my VM's is an old XP system which monitors my solar electric. One is a ubuntu install hosting a Drupal website. One is also installed which is a full blow VPN server for when I need to do more than just simple things...I rarely use this one.

I will be upgrading my "server" hardware to a real server class platform one of these days, and I would like something specific to running independent VM's, but the remote maintenance might be a Qubes eliminating need...

Anybody here attacked a remote console to dom0 before, or does it so completely violate the philosophy of Qubes that it is an absolute no-way-in-hell thing?

Stuart

Ed

unread,
Apr 29, 2018, 10:39:36 AM4/29/18
to qubes...@googlegroups.com
Hi Stuart,

Philosophies aside, you can do whatever you want :) Adding networking
to dom0 is certainly defeating a lot of the hardwork/security that went
into qubes. If you wanted to go this route you might consider just
running Xen directly? Especially if you are putting this in your
closet/basement?

There is another issue however, aside from just giving dom0 network
access, and that's the LUKS password. If you needed to reboot the
machine entirely from remote, you'd be stuck if you had LUKS encryption
on the disk with no way to enter it remotely.

Unless.... you do what I did, and hook up a Raspberry Pi to the serial
console of my machine, and update the kernel boot line in grub to use
the serial console (Note: This REQUIRES you to use the serial console to
enter the LUKS password, you lose the ability to enter it from your
keyboard locally).

Stating the obvious, if someone gets access to the Raspberry Pi I'd be
in a bit of trouble, though as long as I remember to log out of the
shell at the serial console on the Pi, someone compromising that machine
does not immediately give them access to the Qubes box, they would have
to guess my password or wait for me to log back in and enter it if I
didn't know they were there and they could capture it. I run OSSEC on
this PI to help combat that issue.

Also considering defense in depth, I can only access that Raspberry Pi
via VPN, I do NOT expose it directly to the internet, it also sits on
it's own VLAN which I leave isolated, so when I do have to do remote
administration I first have to grant access to that VLAN from my router
console.

So at the end of the day, less secure? Yes. Added convenience? Yes.
Added complexity? Yes...

You can draw the line wherever you want :)

Ed

Stuart Perkins

unread,
Apr 30, 2018, 8:58:32 AM4/30/18
to qubes...@googlegroups.com
Thanks for the detailed answer. I may consider a straight up xen hypervisor host for those reasons. Physical compromise is unlikely. I have no neighbors...at least none who would care to hack my computer system. The only one even remotely capable is a trusted friend...who I would call to physically touch something if needed.

799

unread,
Apr 30, 2018, 9:04:31 AM4/30/18
to Stuart Perkins, qubes...@googlegroups.com
Hello Stuart,


Stuart Perkins <perkins...@gmail.com> schrieb am Mo., 30. Apr. 2018, 14:58:

>> I'm considering setting up Qubes capable server at my home.  What I need, however, is to be able to remotely control it. Updates...reboot/stop/start system and app vm's etc.  Is this even possible with Qubes?  I currently run a Ubuntu powered old laptop as a "server" and have it hosting a couple of VM's with virtualbox.

Depending on the hardware you can completely remote administrate the server using Intel AMT.
It allows you to remotely control the hardware even when the device is switched off but connected to the LAN.
Using AMT you can open up a VNC connection to the server.
AMT will allow you to remotely control and restart a server even it has crashed into a blue/purple screen.

This technology is the reason that some people are flashing their BIOS (Coreboot) in order to get rid of this piece of software.
I am using AMT with my corporate Q
laptop which runs Qubes OS.
On my 2nd Laptop a X230 I am running Coreboot to get rid of AMT.

[799]

Manuel Amador (Rudd-O)

unread,
May 5, 2018, 10:06:07 PM5/5/18
to Stuart Perkins, qubes-users
On 2018-04-29 00:50, Stuart Perkins wrote:
> Hi list.
>
> I'm considering setting up Qubes capable server at my home. What I need, however, is to be able to remotely control it. Updates...reboot/stop/start system and app vm's etc. Is this even possible with Qubes? I currently run a Ubuntu powered old laptop as a "server" and have it hosting a couple of VM's with virtualbox. I can ssh into it and even have an sshuttle setup for VPN over SSH functionality for when I need to do something "gui" remotely. One of my VM's is an old XP system which monitors my solar electric. One is a ubuntu install hosting a Drupal website. One is also installed which is a full blow VPN server for when I need to do more than just simple things...I rarely use this one.
>
Search for ansible-qubes on Github or Google.  Then search for
qubes-network-server on Github or Google.

I have your setup.  It ain't remote console, but it lets you do
everything you want (low-level) from another machine.

--
Rudd-O
http://rudd-o.com/

Reply all
Reply to author
Forward
0 new messages