---+ BRIEF: What is the most secure way to run a GUI app in a VirtualBox guest from the host?
VBoxManage guestcontrol --username U run ...
for an account that has no password
which may require gpedit to allow
VBoxManage guestcontrol --username U --password P run ...
VBoxManage guestcontrol --username U --passwordfile PF run ...
or ssh (what network mode: NAT, ...)
---+ DETAIL
I have just started using VirtualBox, after past experience with VMWare, Parallels, Xen - heck, I worked on VMX aka VT before it was released. Overall, I am familiar with virtualization, but not so much with the incantations necessary to configure the software.
Host: MacOS Sierra
Guest: Windows 10 Pro (Microsoft's appliance, WinDev1612Sys)
I want to use this virtual machine for two purposes: (1) to run an old Windows GUI app (FrameMaker). (2) to run Windows Outlook, when Outlook for MacOS isn't good enough. Also (3), some Windows app development / portability testing.
Not only do I want to run the Windows GUI app (FrameMaker) interactively, but I also want to script it. I do that using FrameMaker's built-in ExtendScript, invoked from MacOS via VBoxManage guestcontrol run ...
(In case anyone cares, I switched from Parallels because I could not get prlctl to pass command line arguments, not even to specify a .BAT script for command.exe to run; and the old trick of editing the .app bundles created by Parallels Tools no longer worked - any attempt to edit the bundle contents, e.g. AppParam.pva, resulted in the bundle being deleted. Probably a security policy. I wasted far too much time trying to get Parallels to run parameterized automation scripts; whereas Virtual guestcontrol ran as soon as I tried it. Makes up for VirtualBox's seamless not being as nice as Parallels coherent mode.)
OK, so now I have something working. I can run scripts on MacOS that invoke GUI apps, and other scripts on the Windows guest. Great!
But...
---++ ps can see command line options like --password and --passwordfile
VBoxManage guestcontrol --username U --password P run ... is scary because the command line options are visible to any user running ps alxwww on MacOS. Any such user can see the password.
Similarly for VBoxManage guestcontrol --username U --passwordfile PF run ... Any such user can see the --passwordfile option - and, as far as I can tell, any such user can execute the same command. I.e. it is as good/bad as seeing the --password. (If guestcontrol run were somehow restricted to only allow such access if the host and guest usernames were the same, it might be more secure - but AFAICT, that is not supported.)
---++ passwordless guest account is scary
Nothing is visible to ps if the guest account has no password - but that scares me. Again, it appears that any host user, including anyone who is not me, can access the passwordless guest account. (Again, guestcontrol restrictions that host and guest user names match for passwordless operation might be more secure - but, still, not having a password is scary. Imagine if I configured bridged networking and my Mac was not behind a NAT (but then I am probably screwed anyway).
---++ Don't allow other users on my Mac
Now, I don't normally allow users other than me to use my Mac. But... I might, if I naively trusted OS user process security, and I forgot about an old installation of VirtualBox. The problem is that VirtualBox guestcontrol has a security perimeter than expands to include all host user IDs
---++ Lock VirtualBox down so that only I can use it
Possibly I could change file permissions so that only I can run VirtualBox installation tools. Also device special files, if VirtualBox installs Mac drivers. But furthermore... I happen to know that if VirtualBox is using Intel VMX / VT hardware virtualization hardware, it might be trapping things that MacOS filesystem permissions do not control.
(BTW, this is the security exposure that one gets from requiring the hypervisor run inside the kernel, from not permitting user level hypervisors. Layered VMs, guys!!!! (We'll only get there after another generation of virtual machine security break-ins.))
But I don't yet know VirtualBox well enough to do this. And a quick look seems to show no indication that VirtualBox was designed to make this easy. (Please tell me otherwise.)
---+ Passwords, not on the command line
If we have to pass a password to the guest, it would be best if it were not on the command line.
I seem to recall that ssh at one time had a --password command line option. Obviously insecure. Modern ssh does not seem to have such an option. Possibly my memory is wrong. But certainly there are folks who want to put the password on the command line, e.g, the sshpass package in Ubuntu (sshpass -p 'YourPassword' ssh - user#host https://unix.stackexchange.com/questions/38737/ssh-login-with-clear-text-password-as-a-parameter)
ssh avoids the need to have the password on the command line by prompting for the password - not visible from ps. Or by having public / private keyfiles (but that is only as good as the filesystem permissions (especially if public and private keys are not separated). Or by using ssh-agent.
I would feel better about VBoxManage guestcontrol if it used something like this.
Heck, I would feel better about guestcontrol --passwordfile if passwordfile were on the host filesystem, not the guest. Not good to have a password in a file, but better than on the command line, and equivalent to keyfiles if kept together and not separated. I am reasonably certain that I can make a file readable by me only in MacOS. ;-}
Hmm... I wonder if there's a mistake in the VBoxManage guestcontrol manpage - if --passwordfile is a host file, rather than a guest file? That would make more sense, and would explain why I have not been able to get --passwordfile guestfile to work.
That's my best hope.
---+ VirtualBox API
If VBoxManage guestcontrol can only pass passwords in a form visible from the command line, perhaps I could write my own script?
Surely somebody has alreadsy done this, if necessary. (I hope it is not necessary.)
---+ Why not ssh between guest and host?
All else failing, I could run an ssh server in the guest, and ssh in. ssh, after all, does a fairly good job of hiding passwords and other authentication tokens from ps, etc,
(I would prefer to use VBoxManage guestcontrol. Less to set up, less to misconfigure. But ssh is pretty standard.)
If I wanted to run ssh, how should VirtualBox's network be configured?
Host-only might be most secure - but that would not allow me to use Outlook in the guest without more crap.
I like running the guest behind VirtualBox NAT (and furthermore the Mac is probably also behind one or more layers of NAT, at home and work).
But if the guest is behind VirtualBox NAT, then ssh from host to guest would be blocked. So I would have to port forward. But I probably do not want to forward requests from the outside world, only from the local host.
It looks like
VBoxManage modifyvm ...
[--natpf<1-N> [<rulename>],
tcp|udp,
[<hostip>],<hostport>,
[<guestip>],<guestport>]
might do the trick.
The manpage example says
VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"
to forward all TCP traffic from localhost 2222 to the guest on port 22.
Does this seem right?
Testing shows that this works - but testing does not show the absence of a security problem.
Really what I want is a combination of hostonly for traffic coming in to guest originating from host, and NAT for outgoing.
(Hmm... on other VMs like Parallels, the problem was that ssh workedm but ssh could not start a GUI app. Haven't tested that on VirtualBox yet.)
---+ CONCLUSION
So, what's the best way?
I would hope that somebody has already figured this out.
I can set up NAT and ssh, assuming that GUI apps work.
But I would prefer it if guestcontrol was secure. Even if just a doc bug, with --passwordfile being a host file rather than a guest file.
Or perhaps I should not worry about hiding stuff from ps. Many folks seem not to care. But I care.
Related
I am maintaining a Virtual Machine on a Cloud Service with Linux (SLES) operating system. At some point, someone logged in, did some major things (e.g. chmod 777 on ALL files, etc) and, with some other things that he did, messed up the system.
It would be no surprise if he actually hacked it, but...
The vm is hosted inside a VPN (unreachable from outside the VPN), and last root command specifies a user connected through tty1 (!!!), with no IP address, while all my connections, root and user are pts/X.
My thoughts (not like I am an expert) are concluding on one thing, this user must have physical (?) access to cloud service, since tty is reachable locally.
Which means, that if that is true, the "attacker" must be someone from inside the Cloud-Service hosting company.
Question:
Is there ANY way you can connect remotely to a server/cloud service virtual machine using ttyX?
Correct me at any point you see wrong; as I mentioned I am not an expert but I am more than willing to learn.
Depending on the hypevisor, it provides a remote console, so, it is kind of local console connected from a remote place. Also, there is a ipmi protocol that can connected to the hypervisor and use the sol (serial-over-lan) command.
Other than that, the user might be connecting using a VNC, that would also be shown as a tty connection
IPMI SOL: http://www.alleft.com/sysadmin/ipmi-sol-inexpensive-remote-console/
Remote qemu guest console: How to switch to qemu monitor console when running with "-curses"
VNC on guests: https://askubuntu.com/questions/262700/qemu-kvm-vnc-support
Currently, I'm working on a local Linux machine. I'm trying to use scp or similar Linux command-line tools to copy files from a remote Windows machine to my local Linux. I did some searching and found that most of the solutions are for local Windows cases (like putty and winscp), which don't really help.
Please advise.Thank you.
[UPDATE] Solved by installing cygwin's sshd service on Windows.
If you really want to use SCP, you will need an SCP server (actually an SSH server) on the Windows machine.
For example freeSSHd.
You will need to choose one of the options based on your own needs, there are a number of similar tools and freeSSHd was the first in the list on Google. I've used the Bitvise SSH Server in the past but it is only free for non-commercial use.
They are usually very easy to set up. You install them the usual way and run them for the first time. Depending on the tool, they may pick up your existing Windows users or you may need to manually create some users with passwords within the tool. Then, armed with your PC's IP address, you should be able to connect to the PC using SSH from the Linux command line.
If the windows system has a shared folder you should be able access that with smbclient which is part of the terrific samba project.
Usually somthing like:
smbclient //winmachine/share
Possibly using the -U username options to specifiy the username on the windows box.
Once connected, you can use cd to change folders, and get to retrieve files.
If there is no file share.... I dunno. Create one?
Syntax for copying from remote Windows 10 machine with built-in SSH server. Note forward slashes and drive style. Domain is not necessary.
scp user#domain#example.com:c:/path/to/file.txt .
I have Ubuntu 10.04, 10.10, and 11.10 in virtual machines on oracles virtual box that I am testing products on. The licenses for the software to run is on my machine which is assigned a static IP.
SO what I have done for all the other Linux distributions I have done testing with is assign the .bashrc file a line in the end like this: export LICENCE=27065#192.168.1.45 causing it to look in the network for my machine to check out and check in its licenses. I have done the same with Ubuntu but cant get it to work at all! So far Ubuntu seems to be the only one with this problem.
SO i figured that maybe it was a connectivity issue. perhaps some behind the scenes security factor that i didn't know about. Well turns out I can ping my machine on the network just fine which makes me a little more lost.
Any info on this or even some more troubleshooting tips would be greatly appreciated.
Is this a FlexLM license? It looks like it because of the port#hostname string.
LICENCE looks wrong, these products usually use LM_LICENSE_FILE or *$PRODUCTNAME*_LICENSE_FILE, see eg. http://opendtect.org/lic/endusermanual/chap12.htm
Check with telnet if this host/port is available: telnet 192.168.1.45 27065. It's possible that ping works but connecting to this specific port doesn't.
Depending on how you start the shell in, .bashrc is not used, do you see it when you echo the variable? If not, stick it in .bash_profile instead
Try setting FLEXLM_DIAGNOSTICS=3 as described in the link above.
I'm doing my development work on my Windows machine, but my compiling on a remote Linux machine. What I currently do is start an X server on Windows, ssh into the Linux machine, then do the development remotely.
What I'd like to do is edit my source on the Windows machine, and have it automatically copy files over to the Linux system when I save. I'd also like for my built-in compilation commands to perform a build on the remote system.
If it makes a difference, the source is all in C, using GCC. In descending order of preference, I have Emacs, Vi, and Netbeans on my desktop, and am willing to install another IDE for a last resort.
This is certainly doable in vim. You can use the scp:// protocol within vim to edit remote files, and set up a command that writes a local copy. You can also change what program vim uses for :make to do an ssh make instead on your server.
You'll need to set up your ssh-keys to keep this painless (otherwise you'll be entering your password all the time) but that's fairly easy.
Another alternative would be to push to a remote repos as part of your make command, instead of editing remotely.
EDIT:
First, using the scp:// protocol within vim. From :help netrw-start (or down the page from :help scp)
Netrw supports "transparent" editing of files on other machines using urls
(see |netrw-transparent|). As an example of this, let's assume you have an
account on some other machine; if you can use scp, try:
vim scp://hostname/path/to/file
Want to make ssh/scp easier to use? Check out |netrw-ssh-hack|!
You can also use scp:// paths in :edit commands, or really anywhere that you could use a normal path.
And, from the mentioned :help netrw-ssh-hack, instructions on how to set up your ssh keys:
IMPROVING BROWSING *netrw-listhack* *netrw-ssh-hack* {{{2
Especially with the remote directory browser, constantly entering the password
is tedious.
For Linux/Unix systems, the book "Linux Server Hacks - 100 industrial strength
tips & tools" by Rob Flickenger (O'Reilly, ISBN 0-596-00461-3) gives a tip
for setting up no-password ssh and scp and discusses associated security
issues. It used to be available at http://hacks.oreilly.com/pub/h/66 ,
but apparently that address is now being redirected to some "hackzine".
I'll attempt a summary based on that article and on a communication from
Ben Schmidt:
(1) Generate a public/private key pair on the local machine
(ssh client):
ssh-keygen -t rsa
(saving the file in ~/.ssh/id_rsa as prompted)
(2) Just hit the when asked for passphrase (twice) for no
passphrase. If you do use a passphrase, you will also need to use
ssh-agent so you only have to type the passphrase once per session.
If you don't use a passphrase, simply logging onto your local
computer or getting access to the keyfile in any way will suffice
to access any ssh servers which have that key authorized for login.
(3) This creates two files:
~/.ssh/id\_rsa
~/.ssh/id\_rsa.pub
(4) On the target machine (ssh server):
cd
mkdir -p .ssh
chmod 0700 .ssh
(5) On your local machine (ssh client): (one line)
ssh {serverhostname} cat '>>' '~/.ssh/authorized\_keys2' < ~/.ssh/id_rsa.pub
or, for OpenSSH, (one line)
ssh {serverhostname} cat '>>' '~/.ssh/authorized\_keys' < ~/.ssh/id_rsa.pub
You can test it out with
ssh {serverhostname}
and you should be log onto the server machine without further need to type
anything.
If you decided to use a passphrase, do:
ssh-agent $SHELL
ssh-add
ssh {serverhostname}
You will be prompted for your key passphrase when you use ssh-add, but not
subsequently when you use ssh. For use with vim, you can use
ssh-agent vim
and, when next within vim, use
:!ssh-add
Alternatively, you can apply ssh-agent to the terminal you're planning on
running vim in:
ssh-agent xterm &
and do ssh-add whenever you need.
For Windows, folks on the vim mailing list have mentioned that Pageant helps
with avoiding the constant need to enter the password.
Kingston Fung wrote about another way to avoid constantly needing to enter
passwords:
In order to avoid the need to type in the password for scp each time, you
provide a hack in the docs to set up a non password ssh account. I found a
better way to do that: I can use a regular ssh account which uses a
password to access the material without the need to key-in the password
each time. It's good for security and convenience. I tried ssh public key
authorization + ssh-agent, implementing this, and it works! Here are two
links with instructions:
http://www.ibm.com/developerworks/library/l-keyc2/
http://sial.org/howto/openssh/publickey-auth/
For making on remote systems, you need to set your makeprg variable to
do an ssh make. From :help makeprg
Program to use for the ":make" command. See |:make_makeprg|.
This option may contain '%' and '#' characters, which are expanded to
the current and alternate file name. |:_%| |:_#|
Environment variables are expanded |:set_env|. See |option-backslash|
about including spaces and backslashes.
Note that a '|' must be escaped twice: once for ":set" and once for
the interpretation of a command. When you use a filter called
"myfilter" do it like this:
:set makeprg=gmake\ \\\|\ myfilter
The placeholder "$*" can be given (even multiple times) to specify
where the arguments will be included, for example:
:set makeprg=latex\ \\\\nonstopmode\ \\\\input\\{$*}
This option cannot be set from a |modeline| or in the |sandbox|, for
security reasons.
One option is to use the TRAMP remote-editing package (built into Emacs 22 and newer, and you can install it into older versions). Every time you save your file, Emacs sends its contents over ssh (by default; of course every detail is totally configurable) to the Linux machine. Commands like M-x compile and M-x grep are TRAMP-aware and execute on the remote host.
I would look into continuous integration for your environment. This way you can commit the changes to source control, and have the linux box act as a build server. You can have tests associated and other related interesting stuff you want to be run on the builds.
Update 1: Also this might work for you: http://metamod-p.sourceforge.net/cross-compiling.on.windows.for.linux.html (it is also worth a try doing some searches on similar tools)
Other have suggested SAMBA which may not be feasible on your Linux box. A good alternative is to use Dokan SSHFS on your Windows box to mount a remote directory over SSH.
You could try sharing a disk between your Linux and Windows machines using Samba or something like that. Then you could edit on your local machines and the files would be visible immediately on the remote machine since the drive would be visible to both.
Where I work we have all files on NFS that is accessible from all Linux machines and Windows machines. I don't know how hard it is to set that up since I work in a large corporation and IT is abstracted away from me, but simple disk sharing should be pretty straightforward.
Why do you start an X server on Windows? Personally, I would set up a Linux VM with VMware or whatever your favorite VM technology is (VMware is free and works well). Then choose any Linux distribution you want. You just need very basic functions, mostly the standard "toolchain." You could pick Centos, Ubuntu, Fedora, Debian, whatever. I usually use Centos or Debian. Set it up, and just use PuTTY into your VM. From there, you can scp files to your remote server and so forth. This way you don't have to bother with cygwin or an X server or any of that.
Can you just use a samba share to save the files directly on the remote machine? I often do PHP this way.
Then just have a putty window open to run commands on the remote box.
Or am I missing something?
Set a source control system and use it. Then you can just make a commit after saving in your IDE, and on server you can have something happening on-commit.
This can trigger tests, build, mail any errors to you...
One solution might be to have some sort of polling app that checks the timestamp on the files to see if they have changed. If they have then get it to save and then compile. Kinda hackish this way but it would be workable.
I personally use XMing with PuTTY. I ssh using PuTTY while XMing is running. I can open up any editor (gvim, emacs, gedit, etc) and it will appear.
You will need to do some setup on PuTTY though:
Expand Connection
Expand SSH
Click on X11
Check the "Enable X11 Forwarding"
In the text field for display location, enter (without quotes): "localhost:0"
Save session and connect.
I do this all the time using VNC and it is very easy, but I am curious about a few things like XDMCP. As I understand it, this is a way of creating the entire desktop on a remote X-Server which seems fairly elegant.
Several years ago, I worked on a Solaris server and multiple developers had X-Servers running in Windows and we were able to access a full remote X-desktop. All my efforts so far in X based systems seem to indicate that only one instance, remote or local, of the desktop can be loaded, so I guess this Solaris thing was an actual application that "emulated" a desktop, but who knows....
Any input ?
From Windows I've found the best way to do this is using the Xwin command in cygwin.
Steps:
Install Cygwin, making sure to install X11. (Do this by scrolling to the bottom of the list on the "select packages" screen and click on the word "default" to the right of "X11". Give it a second or two and it will change to "install".)
Then, just run the Xwin command like this:
Xwin -query your.unix.system.name
You'll get a full-screen login window from you unix box. That's it!
Btw, sometimes firewalls get in the way of the UDP protocol for XDMCP. If that happens, look up the port numbers (one UDP outgoing, and one TCP incomming) and unblock them. Other xdmcp troubleshooting tips here.
NX will allow you to use a complete remote desktop environment locally, and most Linux distros already have the server available.
As an alternative to full cygwin install you might want to look at Xming. It is quite a bit lighter and should provide the same functionality.
In Xorg/GDM/LightDM options : "listen" should be activated (disabled by default)
In windows, try Xwin32.
In Linux, try Xnest (windowed) or X with "-query" command.
Be careful: it's slow and everything (passwords included) is transmitted in clear. So keep it on local network, tunnel it in SSH or better don't use it.
I found an additional remote desktop implementation which works quite nicely with LXDE:
x2go
Has clients for Windows, Linux and MacOS X.