tunneling – Is accessing Cockpit through SSH tunnel secure?

I can’t find a definite answer on accessing cockpit from outside machines securely. Just letting it through the firewall doesn’t seem safe. It only uses basic user and password authentication – I’m not using Kerberos.

So I thought that SSHing into the machine over Internet and then forwarding 9090 port should work – it works for VNC after all. Or is it… is there any vulnerability I might be missing here?

ssh tunnel – I can’t connect to reverse SSH from another device

New to all this stuff, sorry if it seems basic. I have a Raspberry Pi creating a reverse SSH tunnel (over the Internet) to another RPi that I use as a server.

Tunnel creation : ssh -i /home/pi/.ssh/id_rsa -p 45000 -N -R 2500:localhost:22 user@IP -o "ServerAliveInterval 5" -o "ServerAliveCountMax 2" -o "ExitOnForwardFailure yes"

Server command : ssh -p 2500 user@localhost

This works fine, but now I want to do the same with a more “official” server.

So I copied the SSH key to another RPi (to know if it is possible to connect from another device before trying with the server), updated the NAT rules of the router to redirect the tunnel to the second RPi IP, and tried to connect. But it didn’t work. (No firewall set up)

To be clear, with this diagram :

A ===========> router <----------- B
A ===========> router <-----X----- C 

ssh is installed (which ssh(d) => /usr/bin/ssh(d)), and the service is launched.

Here is the verbose :

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "localhost" port 2500
debug2: ssh_connect_direct
debug1: Connecting to localhost (::1) port 2500.
debug1: connect to address ::1 port 2500: Connection refused
debug1: Connecting to localhost ( port 2500.
debug1: connect to address port 2500: Connection refused
ssh: connect to host localhost port 2500: Connection refused

/etc/ssh/ssh_config are the same in both RPi.
All the policies from iptables are set to ACCEPT (remote and local).
Logs from remote RPi doesn’t contain any information from connection attempts. (Seems logic as the ssh connection is not even set …)

Already tried to set -L but no results neither. (From this and this ServerFault topics, probably misunderstood the concepts)

Do you have any idea to connect to the tunnel with the second RPi ? Is it even possible without being on the same network ?

Thank you in advance for your responses !

networking – SSH connection refused on no-ip but allowed on local

Hello I am quite recent to the linux server enviroment and I’ve been trying to set an old laptop as a webserver with nginx

I followed this tutorial for securing my server:
tutorial for securing the ssh access

Then I proceeded to portforward my router to allow remote ssh and also opened up port 80 to test if I could connect the server as a subdomain to a domain I already own.
After that I enabled No-Ip on my router and set up a dynamic DNS for my IP, so that I could ssh from that dns from anywhere

However now I am facing the following problems:

  • I cannot ssh via my dynamic dns from No-ip but I can ssh via the local IP of the ‘server’
  • If I try to run $ ssh -p MYPORT user@no-ip-address, I get this in return:
    • ssh: connect to host no-ip-address port MYPORT: Connection refused.

I have checked if my no-ip dns has the port open in here and it tells me that the port I want to use to ssh into the server is open.

I also linked this server as a subdomain of a domain I already own with nginx and whilst the server is connected to that subdomain, if I try to telnet that subdomain it is linked to my routers public IP as expected but I also get the Connection refused error that I get when trying to ssh to the server.

Thanks in advance!

EDIT: I am using Ubuntu Server 20.04 LTS

High variance of SSH connect latency

I am trying to SSH to a remote server. Sometimes I connect quickly in under a second. Other times, it takes much longer – between 7 and 25 seconds.

I tried running with ssh -v for debugging. When it takes longer, it hangs on

debug1: Connecting to <hostname> [<ip_address>] port 22.

Any ideas what might be causing this issue? Or things I can do to debug it?

linux – How do I use KeePassXC as an SSH agent?

The SSH Agent has a whole dedicated section in KeePassXC docs. It’s probably best to read it whole to get a general idea of how it works. If you don’t want to, here’s a summary.

KeePassXC doesn’t act as a full-blown SSH Agent replacement. Instead, it communicates with an already running SSH agent and adds or removes SSH keys as needed.

Private keys can be stored entirely in a KeePassXC database. Alternatively, you can keep password-protected key files in the filesystem and use KeePassXC to unlock them automatically using a password stored in the DB and insert them into agent.

Keys can be added and removed on demand or automatically when the database is opened/closed. You can also set timeouts for key removal and enable confirmations on per-key basis.

Pretty neat!

Add a new entry. Name is as you wish.

The username will be used as a key name in the agent (ssh-add -l). The password will be used to unlock the key if it’s password protected.

Advanced tab: Add the private key as an attachment if you wish to store it in the database (useful for sharing between systems if your database is already shared somehow).

Auto-Type tab: Uncheck Enable Auto-Type for this entry.

SSH Agent tab: Configure when the key is added and removed to your liking. Choose your private key from attachments or the filesystem.

Browser Integration tab: Check Hide this entry from the browser extension.

I’ve tested this on Pop!_OS 18.04, which is a closely related fork of Ubuntu.

This feature should mostly work out of the box, just enable it in KeePassXC settings.

Use ssh-add -l to check if your keys are loaded (if you’ve chosen to add them manually, you can do this by right-clicking them and selecting Add key to SSH Agent).

SSH Agent does not work if KeePassXC is installed as a snap package. If snap info keepassxc returns something, you must remove the snap version and install a regular one using apt. If you’re on Pop!_OS and apt installs an older version than snap, see this question: KeePassXC is not upgrading to latest version on Pop!_OS.

Answer tested on Windows 10 version 2004.

First of all, you have to be using the OpenSSH Client that comes with Windows 10. It’s a bit different than “bare” OpenSSH when it comes to communication with the agent. Make sure you have OpenSSH Client component installed (it’s optional – may be missing if you’ve removed it explicitly or upgraded from an older version of Windows).

If you have another SSH client installed (for example the one that comes with git), make sure that the Windows one is used on the command line. Typing where ssh-add in the cmd window should return C:WindowsSystem32OpenSSHssh-add.exe as the first entry. If that’s not the case, you have to reorder your PATH entries.

You also have to enable the agent’s service. Open services.msc and find OpenSSH Authentication Agent. Set its Startup type to Automatic, apply and start it.

Unfortunately the version of SSH client that comes with Windows build 2004 is buggy and doesn’t work with RSA keys. You must apply this workaround:

  1. Stop the agent service.
  2. Download the latest release of OpenSSH-Win64.zip from GitHub. Extract it to C:Program FilesOpenSSH-Win64.
  3. Open regedit and go to HKLMSYSTEMCurrentControlSetServicesssh-agent. Change ImagePath to C:Program FilesOpenSSH-Win64ssh-agent.exe
  4. Start the service.

Now enable the SSH Agent in KeePassXC settings and check Use OpenSSH for Windows instead of Pageant.

Use ssh-add -l to check if your keys are loaded (if you’ve chosen to add them manually, you can do this by right-clicking them and selecting Add key to SSH Agent).

Save a corresponding public key in the filesystem and use it in the config. ssh will use the correct key from KeePassXC if it’s added to agent.

opengl – Can’t type password for SSH in Powershell

I would like to render an animation in Blender program over Google Colaboratory and I followed this tutorial to help me do that https://internet-of-tomohiro.netlify.app/google_colab/vnc.en.html. So basically, google colab’s virtual machine should connect to my ngrok account and I needed SSH to connect to the server and to do that. I installed SSH using Scoop. Then I typed following command in Powershell: ‘ssh -o UserKnownHostsFile=/dev/null -o VisualHostKey=yes -p 11458 -L 5901:localhost:5901 colab@2.tcp.eu.ngrok.io’. Then Powershell asked me to type colab@2.tcp.eu.ngrok.io’s password. I copied password from google colaba and pasted it in Powershell but nothing showed up, like I didn’t even type anything. I tried manually typing but still nothing showed up. I tried pasting password again and typed enter. Powershell responded with: Permission denied, please try again.. I tried 2 more times and then it said ‘colab@2.tcp.eu.ngrok.io: Permission denied (publickey,password)’.

Why won’t it let me to type password, I can’t do any further steps without typing the password? Every step I did is provided in the link above.

Link on how to run SSH server: https://github.com/demotomohiro/remocolab

command line – Transfer a directory over ssh

I am trying to transfer a directory from a remote server(CentOS) to my local machine(Ubuntu) over ssh. There are two users : A and B. User A can ssh into remote server and has sudo access. User B owns a directory in remote server.

To transfer a directory owned by User B as User A, sudo needs to be used.

Currently for transferring a file (from remote to local) this is what I am using :

ssh -tt userA@remote_host 'stty raw -echo; sudo cat /path/to/remote/file/owned/by/userB' > /path/to/local/file

To transfer a directory I have tried the tar approach,

ssh -tt userA@remote_host 'stty raw -echo; sudo tar -C /path/to/remote/directory/owned/by/userB/ -czf - .' | tar -C /path/lo/local/directory -xzf -

However on the local system I get this error :

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now