I was wondering if anyone has any experience with connecting to a virtual machine, externally.
My goal is to be able to directly ssh into my vm, instead of for example ssh to my host machine, then ssh to the vm from there.
I was thinking it would have to be something to do with port forwarding traffic on a specific port to my vm from my host, but I can’t seem to understand how to do that properly.
I am using a virtual NATed network card, so it’s on its own subnet, therefore my router won’t do the portforward directly, so I would probably have to do some form of port forwarding on my host machine.
Heres what I tried to do but I get connection refused, when trying to connect through my host machine.
I’m using OpenSSH on an arch based distro… I can’t seem to find anything that looks like your config anywhere. Also, i don’t really understand what you mean by setting up keys between your devices?
Sorry for being so new to this.
My goal is that a remote user needs access to my VM using ssh. My original thought was having him just connecting directly to the VM using port forwarding this way, but this seems to not be working. So I am not considering making a super restricted user to allow him to just ssh into the VM. My attempts at this has also not worked…
So if what you’re suggesting for a solution requires him to have account of his own then let me know. But for now I’m not grasping the config you’re referring to, and how to set up my own.
Well if your gonna expose this vm ssh port to the outside world for someone to be able to ssh in than you may want to look into key authentication, fail2ban , and more security stuff. Also may want this vm to be on its own vlan network in case someone got in they have a lower chance of getting into anything else on your network.
Is there a particular reason someone needs to ssh into this VM?
I have tried to implement this, but for some reason, it doesn’t accept my keys. It no matter what i do it seems, keeps giving me “Server refused our key” whenever I log in. Anything you can think of to fix this?
I have followed this EXACT format, and also tried to change the sshd config to specifically point to the authorized keys folder.
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Ciphers and keying
#RekeyLimit default none
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# Change to yes if you don't trust ~/.ssh/known_hosts for
# Don't read the user's ~/.rhosts and ~/.shosts files
# To disable tunneled clear text passwords, change to no here!
# Change to no to disable s/key passwords
# Kerberos options
# GSSAPI options
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# pass locale information
AcceptEnv LANG LC_*
# no default banner path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Heres the how the key looks like in my “~/.ssh/authorized_keys” file
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAnur/IL0/oQRsSbJq+psj9mcV5qWeoZTMHPE6C7SQidpgB/C/kmEo6w2pZM3x7yA9TBPw/Hdcp8w5PPL4jgvdddKgVQswJ8K4l3+mmo+oEod9pW+yU77BCRC3B9HB3LGvfwMw1hkg+Cg2uFOlLgLzyAN5zKE7qMkPCb/f8fbebu24SEodY588ktOefMYc+d7a66QvVjhCLbKjux3G51e5gDXlazfGvMoHxprtHwNYNah8+MK1NcbpOekfOzCjr3slUtJBX+5WmqxWJ+I2MglewEM6Dqqz86vJrIA5qmDFzzcgpVIrFjyp/71/B7qRmRe20iUTITycoxf7JPjdFbBINw== example key
on your CLIENT machine run ssh-keygen and use a passphrase when prompted to protect your PRIVATE key in case of theft
this will give you two keys in ~/.ssh/
id_rsa (the private key)
id_rsa.pub (the public key)
or similar, depending on the type of key generated
the .pub key you can give to anyone or copy to anything you want to log into from your client machine.
stick it in ~/.ssh/authorized_keys (on the remote machine)
(copy/paste it into that file, you can copy paste multiple public keys one after the other in that file) and ssh should use it for login.
once you confirm you can log in using your key/passphrase you can turn off password authentication on the remote ssh server.
the private key ideally never leaves the machine you generated the keypair on! this way if your box gets stolen you just remove the key from places you added it to and those machines can’t be used to connect even if they have your passphrase.
you can technically copy your private key around but if you use the same key everywhere then theft of a machine means they’ve got your only key.
to do ssh properly, keys are always generated on the CLIENT and the .pub is the only one you copy around.
Bonus points: you can use ssh-agent to keep your key unlocked on your client, so you can log in without continually typing your passphrase every time.
Sorry for not being clear earlier. This configuration goes in the user home: $HOME/.ssh/config. If the file does not exist, just create it. You can look at man ssh_config to explore options; e.g. you might want to use the HostName option to specify the full hostname/ip so that name provided with Host can actually be an alias. You can also use it do hostname matching using globs.