So I have been toying around with this for a week now and it is driving me bananas. I have the native Windows 10 SSH server and client installed on both machines. Most of the time when I try to connect I get "ssh: connect to host 10.0.0.8 port 22: Connection timed out" when I realized it might be my firewall I disabled it and tried again only to get "ssh: connect to host 10.0.0.8 port 22: Connection refused". The only time I have gotten closer is when using a Ubuntu VM, but then when I am prompted for a password none work, I assume that has to do with the rsa key that I have yet to establish.
How can I get either (Preferably Both) of these connections to work?
Can two Windows 10 PCs even SSH to each other?
Is there a solid tut out there that I should turn to?
I would be thankful for any help on this problem.
Thank you for your time
N/A
Yes, you can use the optional Windows 10 feature OpenSSH Server (sshd) and the corresponding ssh client to make connections between two Windows 10 PCs. You can actually use any ssh standard client to connect, i.e. ssh from Linux.
When you install the "OpenSSH SSH Server (sshd)" from the optional feature settings in Windows it will also automatically create a firewall rule in the Inbound Rules folder of the Windows Defender Firewall and activate the rule. This should make it possible to connect with any ssh client to your PC.
After the installation check the following:
The Windows Service called OpenSSH SSH Server is started and running, it is set to manual start as default so it will not be running unless you have started it.
The inbound firewall rule OpenSSH SSH Server (sshd) is enabled in Windows Defender Firewall with Advanced Security
If these are active you should be able to use ssh MACHINENAME from a shell, command prompt or terminal on another PC to connect to the PC running the SSH server.
When using a Microsoft Account the user name might display a shorter version of the username when you sign-in but the password would be the same as your Microsoft Account.
I just had a similar problem. In my case, I fixed it in the services settings on windows. Make sure that the startup options of the Open SSH Agent and Open SSH Server services are set to automatic and that you start the services. At best, do a reboot afterwards. Again check whether sshd and ssh-agent in the services tab in task manager are running. Then, it should work.
Related
I migrated the vm from libvirt to Google Cloud Platform using Cloudendure. The initial sync is complete and is in Data Replication stage from over a week. Once the VM is launched using test mode and try to putty using ssh it throws Connection Refused exited with error code 255.
I tried to log in using my on-premise local machine username and SSH key with putty, As it is told in the Cloudendure documentation that I can log in to the replicated server using same credentials
The firewall rule in GCP and the machine allows port 22 for incoming connections. SSH key is also updated properly in metadata section and saying SSH key is not propagated properly.
I thought there is a problem with my local machine ufw rules and tried turning off firewall and replicated again but no use. Also tried adding SSH rule to ufw allow connections from 0.0.0.0/0 still I'm not able to connect to VM which is replicated and launched in test mode.
Steps tried:
I tried interactive console method where I tried to log in using serial-port, but the problem is it is asking for ID and password. Where I don't have PASSWORD and using only SSH keys to log-into.
Tried using Static IP for an instance. before replicating boot disk I added firewall rule allow SSH from that static-IP then I replicated and tried to login (assuming that it is blocking connection via this IP).
Followed this article to install Linux Guest OS.
Generated SSH key using ssh-keygen -t RSA -C "" in gcloud shell.
I cannot ssh into the Linux environment. Appreciate the help
Operating System: Ubuntu 18.04 LTS x64
ANy help would be greatful.
I have successfully installed Apache Guacamole on my DigitalOcean VPS.
Now I need to create a new connection to my windows 10 pc.
I cannot get that to work.
I am very confused what settings I need to fill in to connect to the pc.
Here are screenshots of the settings I can fill in. I am going to use RDP and am unsure how to find the domain, host, etc of my pc. Maybe there is other settings I need to fill in too?
Please help as I have been trying for weeks. Thank You.
New Connection Settings Picture
New Connection Settings Picture
First, make sure that both tomcat and guacd services are running. Usually, both are installed on the same machine.
On the settings page, select RDP as the protocol (in the images you have posted, VNC is selected). Next, in the "Parameters" section, enter hostname ip and RDP port (3389 is the default). If guacd is on the same host as tomcat, there is no need to enter anything in the "Guacamole proxy parameter" section.
The settings page is a bit different when RDP is selected, but you should also populate windows username, password and domain of the remote PC where you want to connect. The parameters are the same as the one you are normally using to logon to this PC.
Also, make sure that the remote windows 10 PC is accessible from the DigitalOcean VPS. You may test this by logging to the VPS machine and issue the following in the terminal
telnet <remote windows pc ip> 3389
If you can connect with telnet, this means that remote PC RDP server is accessible; otherwise, you have to check for network related issues (firewall, different lans...).
If everything above is ok, then please post the tomcat log (catalina.out) and guacd log (usually in /var/log/syslog).
I have spun up a Google Cloud Compute virtual machine. It's a vanilla Windows Server 2016 image, and I can log in and see the desktop. I do that by downloading the RDP file and running it.
Due to a license manager for software I'm installing, I need to VPN to my own network. In "Settings -> Network", I add a new VPN connection (using the same creds I use on my machine) and click Connect. It makes an initial connection, verifies my credentials, but during the final stage, my RDP connection to the GCP VM ends.
What is really strange is that, sometimes, I can reconnect successfully after a few minutes and the VPN connection was successful. Sometimes I can't reconnect.
Any ideas?
The VPN connection added as such will be a force tunneled VPN which then adds a default route over the VPN interface on the VM disrupting your connection. The easiest way for maintaining the connection would be to do either of 2 things
Make the VPN split tunneled and add a route for the licensing box. You can do this by using the Set-VPNConnection Powershell commandlet and then adding a route using the route add command in an administrative command prompt
Add a more specific route for the IP Address by which u access the VM using the route add command
UPDATE: Simply setting the VPN to use split tunneling in PowerShell solved the problem.
Use: (Replace "VPNsName" with your VPNs Name)
Set-VpnConnection -Name "VPNsName" -SplitTunneling 1
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
I have a problem setting up a ipython cluster on a Windows server and connecting to this ipcluster using a ssh connection. I tried following the tutorial on https://ipython.org/ipython/doc/dev/parallel/parallel_process.html#ssh, but I have problems to understand what the options mean exactly and what parameters are to use exactly...
Could anyone help a total noob to set up an ipcluster? (Let's say the remote machine has ip 192.168.0.1 and the local machine has 192.168.0.2)
If you scroll roughly to the middle of the page https://ipython.org/ipython-doc/dev/parallel/parallel_process.html#ssh you will find this:
Current limitations of the SSH mode of ipcluster are:
Untested and unsupported on Windows. Would require a working ssh on Windows. Also, we are using shell scripts to setup and execute
commands on remote hosts.
That means, there is no easy way to build an ipcluster with ssh connection on windows (if it works at all).
Do you really need to connect the machines with an ssh connection? I guess it's possible with a ssh client on each windows machine, but if you are in a trusted local network you can also decide not to use the loopback interface and just expose the ports...
Sure you can start controller and engine separately! For further examples about ports (if you have problems with firewalls) see also How to setup ssh tunnel for ipython cluster (ipcluster)