Ssh between Whonix 18 workstations after upgrading to 4.3

scallyob · February 17, 2026, 9:55pm

I had setup qrexec to send data between two Standalone Whonix workstations as described here: https://tor.stackexchange.com/questions/13522/how-to-configure-whonix-gateway-for-communication-between-two-local-workstations

Since updating to Whonix 18 and Qubes 4.3 this is not working.

I’ve confirmed in dom0 /etc/qubes/policy.d/30-user-policy has in it:
local.ssh * vm1 vm2 allow

In vm2 /etc/qubes-rpc/local.ssh contains:
exec socat STDIO TCP-CONNECT:localhost:22

In vm1 /etc/ssh/ssh_config I had to readd:

Host vm2
         ProxyCommand qrexec-client-vm %h local.ssh

After doing so I get this error when trying to connect via ssh user@vm2:

2026-02-17 21:36:07.343 qrexec-fork-server[46150]: exec.c:165:exec_qubes_rpc2: execve: Exec format error
Connection closed by UNKNOWN port 65535
zsh: exit 255   ssh user@vm2

ssh -vvv user@vm2 gives:

debug1: OpenSSH_10.0p2 Debian-7, OpenSSL 3.5.4 30 Sep 2025
debug3: Running on Linux 6.12.64-1.qubes.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 10 21:51:22 UTC 2026 x86_64
debug3: Started with: /usr/bin/ssh -vvv user@vm2
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/30_security-misc.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/30_security-misc.conf
debug1: /etc/ssh/ssh_config.d/30_security-misc.conf line 13: Applying options for *
debug3: kex names ok: [sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org]
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: kex names ok: [curve25519-sha256,ecdh-sha2-nistp521]
debug1: /etc/ssh/ssh_config line 56: Applying options for vm2
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug1: Executing proxy command: exec qrexec-client-vm vm2 local.ssh
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type 3
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_10.0p2 Debian-7
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
zsh: exit 255   ssh -vvv user@vm2

marmarek · February 17, 2026, 10:08pm

It’s missing the script shebang: #!/bin/sh.

scallyob · February 17, 2026, 10:13pm

That worked. Funny it was working before without that.