Can't get "Simple port binding" from docs to work

User Support General
1

Hi,

I have 2 qubes:

B: AppVM which I want to connect to A via SSH

XY: On a 4K screen, even double-sized fonts of a console-only standalone look way too small and I have no other choice but to access it through an AppVM.

I know how to do this using a firewall rule - it works fine. I am trying to do it “the Qubes way” though. So, I am following the doc.

In dom0 in /etc/qubes/policy.d/30-user-networking.policy I add:

qubes.ConnectTCP * B @default allow target=A

In B:

user@B:~ > qvm-connect-tcp 22:@default:22
Binding TCP '@default:22' to 'localhost:22'...

However, SSH to A does not work:

user@B:~ > ssh -vvv <Qubes_IP_address_of_A>
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.14 4 Jun 2024
...
debug3: set_sock_tos: set socket 3 IP_TOS 0x10

No connection.

I also monitored sudo journalctl -f in both dom0 and B - nothing, no messages.

What am I missing?

2

you need to ssh localhost as you expose Qube A port 22 on Qube B port 22, so you need to connect to localhost port 22 :slight_smile:

3

You can change the font size in xterm:
Ctrl + Right mouse click in the xterm window → enable TrueType fonts
Ctrl + Right mouse click in the xterm window → enable Enormous

4

you need to ssh localhost as you expose Qube A port 22 on Qube B port 22, so you need to connect to localhost port 22 :slight_smile:

This gives:

Request refused
2024/10/08 15:49:27 socat[1112] E waitpid(): child 1113 exited with status 126
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 22
5

@apparatus

There is no xterm. This is a console-only installation (not from a template but stock Debian).

6

can you try to run the qvm-connect-tcp command as sudo ? As socat tries to bind on port 22, it should be forbidden for non root users because the port is under 1024.

If that doesn’t work better, try to open the port 22 in the firewall, I don’t think it should create troubles on localhost but maybe

7

You can still connect to the console of a qube not based on a template using qvm-console-dispvm qubename in dom0, it’ll open xterm in a disposable.

8

can you try to run the qvm-connect-tcp command as sudo ? As socat tries to bind on port 22, it should be forbidden for non root users because the port is under 1024.

But the doc clearly shows it should be done as user? I don’t see any error message when running qvm-connect-tcp as user. I hope you can clarify your idea.

9

@apparatus

user@dom0:~ >  qvm-console-dispvm --autostart A
$dispvm:default-mgmt-dvm: Start failed: XML error: maximum memory size must be equal or greater than the actual memory size, see /var/log/libvirt/libxl/libxl-driver.log for details
Traceback (most recent call last):
...

user@dom0:~ >  qvm-prefs debian-9 | grep mem
maxmem                -  16384
memory                -  8192
10

can you try to run the qvm-connect-tcp command as sudo ?

Same result.

11

If that doesn’t work better, try to open the port 22 in the firewall, I don’t think it should create troubles on localhost but maybe

Same result.

12

You are getting “Request refused”, are you sure your policy file is properly linted?

13

Is A - a qube based on a template or your standalone qube not based on a template?
The qvm-connect-tcp only works between qubes based on a template (with Qubes tools installed).
I’ve tried in between two app qubes based on a debian-12-xfce template and it worked for me even without sudo.

The error is about disposable qube based on a default-mgmt-dvm disposable template so check the default-mgmt-dvm memory settings.

14

You are getting “Request refused”, are you sure your policy file is properly linted?

user@V:~ > ssh -vvv localhost
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.14 4 Jun 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2'
debug2: resolving "localhost" port 22
debug3: resolve_host: lookup localhost:22
debug3: ssh_connect_direct: entering
debug1: Connecting to localhost [::1] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x10
debug1: connect to address ::1 port 22: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
Request refused
2024/10/08 17:04:43 socat[1043] E waitpid(): child 1044 exited with status 126
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 22

user@dom0:~ >  sudo cat /etc/qubes/policy.d/30-user-networking.policy
qubes.ConnectTCP * B @default allow target=A
15

Is A - a qube based on a template or your standalone qube not based on a template?

Qube A is a standalone based on stock Debian 9 (not template).

The qvm-connect-tcp only works between qubes based on a template (with Qubes tools installed).

I guess this is the key factor which the doc does not mention. Thanks for the tip!

I’ve tried in between two app qubes based on a debian-12-xfce template and it worked for me even without sudo.

Thanks for this info.

The error is about disposable qube based on a default-mgmt-dvm disposable template so check the default-mgmt-dvm memory settings.

Oh, indeed! I have been getting this error recently for many qubes. It seems the most recent updated messed up many qubes and all “problematic” ones now have maxmem=memory and memory balancing ON. Not sure why this is happening.

After fixing this, I can open a console to A.

So, I guess the possibilities are:

  • SSH with a qvm-firewall rule
  • qvm-console-dispvm

I wish there was a way to scale standalones.

16

did you start ssh server on the remote? (just to be sure :wink: )

17

did you start ssh server on the remote? (just to be sure :wink: )

Surely sure :slight_smile:

1 Like
18

This is the reason for all the problems with the standalone.

19

This is the reason for all the problems with the standalone.

If you know a way to install Debian 9 template in 4.2.3, I am very interested.

20

No, sorry, I don’t know how… I keep my templates up-to-date and never had to install an old version in a newer Qubes release.
On the other hand, as you wrote in the first comment, you know how to tweak the firewall and allow direct SSH to this standalone. I’d call that a win and spend my energy in pursue of other quests.