remote access

[oytunistrator]

Qubes OS version:

R4.0

Affected component(s):

rdp, openssh

Steps to reproduce the behavior:

sudo cnf install openssh

General notes:

I need to access remote desktop or ssh but i cant access from remote. I need remote access support for vms.

[Aekez]

It's a bit unclear if you mean remote access to dom0 (to control VM's), or remote access to selected VM's? I'll include both below, if it doesn't answer your issue, then please include more information on the issue to conclude if its an issue meant for developers, or the community mailing list instead for how-to questions.

Reaching dom0 from remote location (requires special permission in the RPC (Policies))

• I'm not fully updated on Qubes admin introduced in Qubes 4.0 just yet, but isn't it exactly what you're looking after? I believe changing Qubes-RPC's is sufficient to enable it and give dom0 limited remote access, and then the rest is proper use of Qubes admin commands, which also work remotely. Try browse your RPC permission policies at /etc/qubes-rpc/policy/.

  • Here are the Qubes docs on RPC https://www.qubes-os.org/doc/rpc-policy/ and https://www.qubes-os.org/doc/qrexec3/.

Reaching VM's from remote location (requires special permission in firewalls)

• If it isn't remote access to dom0 you're trying to archive, but instead remote access to your VM's, then you just need to adjust the Qubes firewalls, found here https://www.qubes-os.org/doc/firewall/. Since you mention sudo dnf install openssh and not sudo qubes-dom0-update openssh, it leads me to believe you're talking about remote access to AppVM's, and not remote access to dom0.

Opening up for potential attack surfaces

• Remote access to both dom0 (RPC policies) and networking in VM's (initial remote network access to VM's) is disabled by default, which is good since it reduces potential attack surfaces, so keeping the permissions disabled when not in use is ideal.

Is this an issue for developers, or is it a question better suited for the community support?

• If this isn't solving your issue, then I believe it might be worth it to include bit more information for what kind of remote access you're trying to archive, and whether this is a bug/lack of feature in Qubes, or if it's a user-question better suited for https://groups.google.com/forum/?_escaped_fragment_=forum/qubes-users#!forum/qubes-users mailing list.

[Aekez]

It's a bit unclear if you mean remote access to dom0 (to control VM's), or remote access to selected VM's? I'll include both below, if it doesn't answer your issue, then please include more information on the issue to conclude if its an issue meant for developers, or the community mailing list instead for how-to questions.

Reaching dom0 from remote location (requires special permission in the RPC (Policies))

• I'm not fully updated on Qubes admin introduced in Qubes 4.0 just yet, but isn't it exactly what you're looking after? I believe changing Qubes-RPC's is sufficient to enable it and give dom0 limited remote access, and then the rest is proper use of Qubes admin commands, which also work remotely. Try browse your RPC permission policies at /etc/qubes-rpc/policy/.

  • Here are the Qubes docs on RPC https://www.qubes-os.org/doc/rpc-policy/ and https://www.qubes-os.org/doc/qrexec3/.

Reaching VM's from remote location (requires special permission in firewalls)

• If it isn't remote access to dom0 you're trying to archive, but instead remote access to your VM's, then you just need to adjust the Qubes firewalls, found here https://www.qubes-os.org/doc/firewall/. Since you mention sudo dnf install openssh and not sudo qubes-dom0-update openssh, it leads me to believe you're talking about remote access to AppVM's, and not remote access to dom0.

Opening up for potential attack surfaces

• Remote access to both dom0 (RPC policies) and networking in VM's (initial remote network access to VM's) is disabled by default, which is good since it reduces potential attack surfaces, so keeping the permissions disabled when not in use is ideal.

Is this an issue for developers, or is it a question better suited for the community support?

• If this isn't solving your issue, then I believe it might be worth it to include bit more information for what kind of remote access you're trying to archive, and whether this is a bug/lack of feature in Qubes, or if it's a user-question better suited for https://groups.google.com/forum/?_escaped_fragment_=forum/qubes-users#!forum/qubes-users mailing list.

[andrewdavidwong]

Based on our issue reporting guidelines, this does not appear to be suitable for qubes-issues. We ask that you please send this to the qubes-users mailing list instead. If, after reading our issue reporting guidelines, you believe we are mistaken, please leave a brief comment explaining why. We'll be happy to take another look, and, if appropriate, reopen this issue. Thank you for your understanding.

[andrewdavidwong]

Based on our issue reporting guidelines, this does not appear to be suitable for qubes-issues. We ask that you please send this to the qubes-users mailing list instead. If, after reading our issue reporting guidelines, you believe we are mistaken, please leave a brief comment explaining why. We'll be happy to take another look, and, if appropriate, reopen this issue. Thank you for your understanding.