Ssh to dom0

ssh1 · May 24, 2026, 5:41am

hi, i looked around and searched for threads but didn’t find anything too relevant (not interested in vnc or rdp)

can i setup ssh to dom0 from LAN, then use salt or qvm-run to manage appvms from dom0? i don’t need GUI, but shell is nice (qvm-run -p APPVM bash might not be best experience)

how risky is this? there are no targeted attacks, will only be used on small home network, i suppose it is as safe as ssh is and the appvm connecting?

and i will ssh from another qubes machine from a trusted appvm

is it supported and is there maybe community guide to set it up?

KitsuneNoBaka · May 24, 2026, 6:01am

dom0 is not connected to network. Unless you disable sys-net and sys-firewall and make dom0 as network service for all qubes.

ssh1 · May 24, 2026, 6:17am

what about qvm-connect-tcp?

balder86 · May 24, 2026, 8:35am

Since you are breaking the security model. Why not use something more comfortable as a network VM host like proxmox?

Atrate · May 24, 2026, 9:19am

This would probably be the way, but it really is hardly worth it to increase your attack surface so significantly.

unman · May 24, 2026, 10:07am

You would do better to set up an admin qube, and ssh in to that.
This would give you better control over what is exposed to the network,
and what capabilities are available there, while minimising the major
risk in exposing dom0.
The capability for this was first detailed almost 10 years ago, but is
still little known. Read the original post here

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

qubist · May 24, 2026, 3:47pm

@unman

You would do better to set up an admin qube, and ssh in to that.

What is the difference between admin qube and dom0? This is the first time I read there can be a second admin VM.

parulin · May 24, 2026, 4:10pm

You can use policies to restrict the admin qube to be able to do only a subset of operations on specific qubes.

qubist · May 24, 2026, 6:26pm

Sure. But it is impossible to qvm-prefs my-admin-qube klass AdminVM, so I was confused if he meant something like a second dom0 or anything else.

otter2 · May 24, 2026, 6:56pm

I don’t think it is possible to have a second dom0 with current xen: Dom0 - Xen

Does it mean that adminvm is a domu with a tap into xen control mechanism? Kind of like root vs sudoer?

parulin · May 25, 2026, 7:00am

… and I think I confused the “admin qube” with a “management qube”.

unman · May 25, 2026, 11:16am

Thanks to you and @qubist for confirming that this is a sadly neglected
feature of Qubes. I provided a link to the first description in my post.

It is not possible to have a second dom0. It is possible to have a
second/third/fourth admin qube. This is a qube that you create and which
you configure to be able to manage and control aspects of your Qubes
system. These qubes are not of KLASS AdminVM.
This is not necessarily the same as a management qube. Check the
glossary. (The original new post was not clear about this.)

Once you have set up such a qube, you can access it from the network.
You specify in policy files what qubes you want to control, and exactly
what you want to be able to do with them. (At one end would be complete
control and access to all qubes on the system, at another, limited
access to a single qube.)

Naturally, you do not need to make the admin qube externally available
at all. This is useful when working with new salt or ansible features
that are not yet ready for deployment in dom0.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

qubist · May 25, 2026, 6:33pm

@unman

What about e.g. a service running in dom0 that monitors for specific requests generated by the “admin qube” and executing them? Seems simpler to me (assuming one can write the short scripts about it). It can be as simple as a text file in the “admin qube” that dom0 reads periodically.

Speaking of all that, can you explain or show a link to explanation how exactly dom0 is made network-less?

quber · May 25, 2026, 7:47pm

Speaking of all that, can you explain or show a link to explanation how exactly dom0 is made network-less?

I don’t know what you mean by that, but maybe reverse order of this:
#enabling-network-access-in-dom0

qubist · May 26, 2026, 5:39pm

@quber

Well, it doesn’t really answer my question but perhaps answers the OP in one more way.

ssh1 · May 27, 2026, 12:37pm

according to Provide a maintained OpenSSH package in dom0 for those who manually install it · Issue #7493 · QubesOS/qubes-issues · GitHub and GitHub - QubesOS/qubes-openssh: Packaging of openssh · GitHub it should be possible to install openssh-server in dom0, then use qvm-connect-tcp from sys-net to dom0.

i will try later, this machine is not so important, and worst case the dom0 should be no more vulnerable than openssh-server and the appvm which i connect from

the appvm i trust, openssh-server too, and no one on my network will attack (can even just allow the other qubes machine to connect)

unman · May 27, 2026, 12:59pm

You can do this, and you appear to accept any risk.
In my opinion it’s a mistake, and not to be encouraged.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.