search

ben-grande / qusal

Salt Formulas for Qubes OS.
14 stars 6 forks source link

How to use qusal.ConnectTCP #61

Closed ben-grande closed 2 weeks ago

ben-grande commented 2 weeks ago

@ben-grande I am also trying to find the qusal.ConnectTCP policy, as I am getting 

kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
fatal: Could not read from remote repository

error when trying to connect the dev cube with split-ssh (sys-ssh-agent) to a remote private repo? I didn't have this issue before, after updating the sys-net setup I suddenly started getting it.

Thanks so much for your help!

Originally posted by @wassp-ds in https://github.com/ben-grande/qusal/issues/60#issuecomment-2172511424

ben-grande commented 2 weeks ago

Please open a new issue next time for different purposes.

Yes, the dev qube is now without a netvm. The issue is not sys-ssh-agent, it is related to the qube qusal.ConnectTCP targets. Unfortunately I cannot provide a default target, I let the user choose, maybe I can put the default_target as the updatevm, but I let the user choose which qube to target explicitly because I don't want to depend on updatevm having the qusal.ConnectTCP installed in case the user is not going "full qusal qubes", so he may have many service qubes that are not managed by qusal.

The target can be behind a VPN, it can be sys-net, it can be sys-firewall or sys-whonix. But the sys-net.install-proxy state has to be applied to the desired templates.

On dev, ssh to a remote SSH server that sys-ssh-agent can authenticate you:

ssh gh

Check if the dev qube has the qusal-proxy-client service enabled:

ls -l /var/run/qubes-service/qusal-proxy-client

Check if you have the latest dotfiles.copy-ssh configuration:

tail -2 ~/.ssh/config

Match Exec "test -f /var/run/qubes-service/qusal-proxy-client"
        ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p

Watch the Qrexec logs on dom0:

qusal.ConnectTCP+github.com+22: dev -> @default: allowed to disp-sys-firewall
qusal.SshAgent+dev: dev -> @default: allowed to sys-ssh-agent

A policy for qusal.ConnectTCP:

qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-firewall

Check if your target qube has the RPC installed:

ls -l /etc/qubes-rpc/qusal.ConnectTCP
wassp-ds commented 2 weeks ago

On dev, ssh to a remote SSH server that sys-ssh-agent can authenticate you: ssh gh

ssh <ANYTHING> gives me the kex_exchange_identification error

Check if the dev qube has the qusal-proxy-client service enabled: ls -l /var/run/qubes-service/qusal-proxy-client

in place

Check if you have the latest dotfiles.copy-ssh configuration: tail -2 ~/.ssh/config Match Exec "test -f /var/run/qubes-service/qusal-proxy-client" ProxyCommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p

in place

Check if your target qube has the RPC installed: ls -l /etc/qubes-rpc/qusal.ConnectTCP

My target qube will be disp-sys-net for now, in place.

journalctl /usr/bin/qrexec-policy | grep qusal only outputs 

qusal.SshAgent+dev: dev -> @default: allowed to sys-ssh-agent
ben-grande commented 2 weeks ago

If the qusal.ConnectTCP rule was not seen, it was not called in the dev qube.

Have you set ProxyCommand for any of your SSH hosts?

Try:

ssh -G yoursshserver

And see the proxycommand.

You may also use the verbose mode when connecting:

ssh -vvvv yoursshserver

Test the command directly:

ssh -o ProxyCommand="qrexec-client-vm @default qusal.ConnectTCP+%h+%p" yoursshserver

On Mon, Jun 17, 2024, 3:33 PM wassp-ds @.***> wrote:

On dev, ssh to a remote SSH server that sys-ssh-agent can authenticate you: ssh gh

ssh gives me the kex_exchange_identification error

Check if the dev qube has the qusal-proxy-client service enabled: ls -l /var/run/qubes-service/qusal-proxy-client

in place

Check if you have the latest dotfiles.copy-ssh configuration: tail -2 ~/.ssh/config Match Exec "test -f /var/run/qubes-service/qusal-proxy-client" ProxyCommand qrexec-client-vm @default https://github.com/default qusal.ConnectTCP+%h+%p

in place

Check if your target qube has the RPC installed: ls -l /etc/qubes-rpc/qusal.ConnectTCP

My target qube will be sys-net for now, in place.

journalctl /usr/bin/qrexec-policy | grep qusal only outputs

qusal.SshAgent+dev: dev -> @default: allowed to sys-ssh-agent

  • no other qusal reference seen.

— Reply to this email directly, view it on GitHub https://github.com/ben-grande/qusal/issues/61#issuecomment-2173411495, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCE2O4KQOV4YPJ2MZDCA5OLZH3QT5AVCNFSM6AAAAABJNOWGZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZTGQYTCNBZGU . You are receiving this because you authored the thread.Message ID: @.***>

wassp-ds commented 2 weeks ago

ssh -vvvv git@github.com yields the following:

OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 7: Applying options for *
debug3: kex names ok: [sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org]
debug1: /home/user/.ssh/config line 26: include ~/.ssh/config.d/*.conf matched no files
debug1: /home/user/.ssh/config line 29: Applying options for *
debug2: checking match for 'Exec "test -f /var/run/qubes-service/qusal-proxy-client"' host github.com originally github.com
debug1: Executing command: 'test -f /var/run/qubes-service/qusal-proxy-client'
debug3: command returned status 0
debug3: /home/user/.ssh/config line 36: matched 'Exec "test -f /var/run/qubes-service/qusal-proxy-client"'
debug2: match found
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: UpdateHostKeys=ask is incompatible with ControlPersist; disabling
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts.d/%k.host' -> '/home/user/.ssh/known_hosts.d/github.com.host'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts.d/%h.host' -> '/home/user/.ssh/known_hosts.d/github.com.host'
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/user/.ssh/control.d/git@github.com:22" does not exist
debug1: Executing proxy command: exec qrexec-client-vm @default qusal.ConnectTCP+github.com+22
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
Request refused
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
zsh: exit 255   ssh -vvvv git@github.com

ssh -G git@github.com:

host github.com
user git
hostname github.com
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster auto
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 no
forwardx11trusted no
gatewayports no
gssapiauthentication yes
gssapikeyexchange no
gssapidelegatecredentials no
gssapitrustdns no
gssapirenewalforcesrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
hashknownhosts yes
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication true
requesttty auto
sessiontype default
stdinnull no
forkafterauthentication no
streamlocalbindunlink no
stricthostkeychecking true
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys false
enableescapecommandline no
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
requiredrsasize 1024
ciphers aes256-gcm@openssh.com
controlpath /home/user/.ssh/control.d/git@github.com:22
hostkeyalgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
hostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
kexalgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
securitykeyprovider internal
preferredauthentications publickey,keyboard-interactive,password
pubkeyacceptedalgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ecdsa_sk
identityfile ~/.ssh/id_ed25519
identityfile ~/.ssh/id_ed25519_sk
identityfile ~/.ssh/id_xmss
identityfile ~/.ssh/id_dsa
canonicaldomains none
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile /home/user/.ssh/known_hosts.d/github.com.host /home/user/.ssh/known_hosts.d/github.com.host
sendenv LANG
sendenv LC_*
logverbose none
permitremoteopen any
addkeystoagent false
forwardagent no
connecttimeout none
tunneldevice any:any
canonicalizePermittedcnames none
controlpersist 60
escapechar ~
ipqos lowdelay throughput
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER
proxycommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p

I still see nothing related to qusal.ConnectTCP on the output of journalctl /usr/bin/qrexec-policy.

ben-grande commented 2 weeks ago

You verbose ssh log shows "Request refused". Did you add the qusal.ConnectTCP rule to your Qrexec policy?

Watch the Qrexec policy again and you will see the call being denied.

On Mon, Jun 17, 2024, 5:12 PM wassp-ds @.***> wrote:

ssh -vvvv @.*** yields the following:

OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /home/user/.ssh/config debug1: /home/user/.ssh/config line 7: Applying options for * debug3: kex names ok: @.**@. debug1: /home/user/.ssh/config line 26: include ~/.ssh/config.d/.conf matched no files debug1: /home/user/.ssh/config line 29: Applying options for debug2: checking match for 'Exec "test -f /var/run/qubes-service/qusal-proxy-client"' host github.com originally github.com debug1: Executing command: 'test -f /var/run/qubes-service/qusal-proxy-client' debug3: command returned status 0 debug3: /home/user/.ssh/config line 36: matched 'Exec "test -f /var/run/qubes-service/qusal-proxy-client"' debug2: match found debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for debug1: UpdateHostKeys=ask is incompatible with ControlPersist; disabling debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts.d/%k.host' -> '/home/user/.ssh/known_hosts.d/github.com.host' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts.d/%h.host' -> '/home/user/.ssh/known_hosts.d/github.com.host' debug1: auto-mux: Trying existing master debug1: Control socket @.:22" does not exist debug1: Executing proxy command: exec qrexec-client-vm @default qusal.ConnectTCP+github.com+22 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519_sk type -1 debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/user/.ssh/id_xmss type -1 debug1: identity file /home/user/.ssh/id_xmss-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 Request refused kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535 zsh: exit 255 ssh -vvvv @.

ssh -G @.***:

host github.com user git hostname github.com port 22 addressfamily any batchmode no canonicalizefallbacklocal yes canonicalizehostname false checkhostip no compression no controlmaster auto enablesshkeysign no clearallforwardings no exitonforwardfailure no fingerprinthash SHA256 forwardx11 no forwardx11trusted no gatewayports no gssapiauthentication yes gssapikeyexchange no gssapidelegatecredentials no gssapitrustdns no gssapirenewalforcesrekey no gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- hashknownhosts yes hostbasedauthentication no identitiesonly no kbdinteractiveauthentication yes nohostauthenticationforlocalhost no passwordauthentication yes permitlocalcommand no proxyusefdpass no pubkeyauthentication true requesttty auto sessiontype default stdinnull no forkafterauthentication no streamlocalbindunlink no stricthostkeychecking true tcpkeepalive yes tunnel false verifyhostkeydns false visualhostkey no updatehostkeys false enableescapecommandline no canonicalizemaxdots 1 connectionattempts 1 forwardx11timeout 1200 numberofpasswordprompts 3 serveralivecountmax 3 serveraliveinterval 0 requiredrsasize 1024 ciphers @. controlpath @.:22 hostkeyalgorithms @. hostbasedacceptedalgorithms @*.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@*.**@*.,rsa-sha2-512,rsa-sha2-256 kexalgorithms @*.**@*. casignaturealgorithms @*.**@*.,rsa-sha2-512,rsa-sha2-256 loglevel INFO macs @*.**@*. securitykeyprovider internal preferredauthentications publickey,keyboard-interactive,password pubkeyacceptedalgorithms @. xauthlocation /usr/bin/xauth identityfile ~/.ssh/id_rsa identityfile ~/.ssh/id_ecdsa identityfile ~/.ssh/id_ecdsa_sk identityfile ~/.ssh/id_ed25519 identityfile ~/.ssh/id_ed25519_sk identityfile ~/.ssh/id_xmss identityfile ~/.ssh/id_dsa canonicaldomains none globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 userknownhostsfile /home/user/.ssh/known_hosts.d/github.com.host /home/user/.ssh/knownhosts.d/github.com.host sendenv LANG sendenv LC* logverbose none permitremoteopen any addkeystoagent false forwardagent no connecttimeout none tunneldevice any:any canonicalizePermittedcnames none controlpersist 60 escapechar ~ ipqos lowdelay throughput rekeylimit 0 0 streamlocalbindmask 0177 syslogfacility USER proxycommand qrexec-client-vm @default qusal.ConnectTCP+%h+%p

I still see nothing related to qusal.ConnectTCP on the output of journalctl /usr/bin/qrexec-policy.

— Reply to this email directly, view it on GitHub https://github.com/ben-grande/qusal/issues/61#issuecomment-2173677657, or unsubscribe https://github.com/notifications/unsubscribe-auth/BCE2O4I7H6B6DSVXNV5N75TZH34FHAVCNFSM6AAAAABJNOWGZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZTGY3TONRVG4 . You are receiving this because you authored the thread.Message ID: @.***>

wassp-ds commented 2 weeks ago

Fixed - it was indeed the policy - I completely misread the documentation and thought the qusal.Connect policy for dev was part of the default policy. I would suggest to slightly reword the README for sys-net formulas and state that the "Qube dev can ask [...]" is an example, rather than an explicit part of the default policy - maybe it will be clearer. And as always, nothing short of awesome and helpful :+1:

ben-grande commented 2 weeks ago

I made changes for it to be clear, let me know if it is better.

wassp-ds commented 2 weeks ago

@ben-grande perfect - I am tracking my changes as well to help clean up the documentation - hope you don't mind :) - therefore I will have some more questions in the future, cause your project here is a gem :muscle:

ben-grande commented 2 weeks ago

Thanks for the recognition, glad you are enjoying it!