Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, 28 February 2018 17:59:09 UTC, awokd wrote: > On Wed, February 28, 2018 5:53 pm, Unman wrote: > > > > > By design dom0 has no networking. > > If you MUST break Qubes , and you cant use the admin features in 4.0 > > (see my last post),then you'll have to use some service to pass data in > > and out of dom0 WITHOUT networking. > > Another option for remote access might be a TCP/IP based hardware KVM, or > equivalent built in to your computer already like IPMI or DRAC. Obviously, > Qubes can't provide any security beyond a screensaver password from an > attack using those. This could be useful: https://www.qubes-os.org/doc/safe-remote-ttys/ only tty... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e73d22a-cd6d-4d86-9ddd-bb1740e09aaf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
Day use for basic tasks sure mission critical no way. IMO all one has to do is look at the hundreds of posts about issues not to mention if it was ready or close to it we would not be getting a 4.0 release canidate 5. 4.0 was such a change IMO its expected to have the need for this extra smoothing out of the code. I guess its also perspective. Some people mission critcal can mean emails to there grandma others school work other where peoples lives and well being are on the line. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7f4bfd32-9a8a-4e83-a382-14e57bf2ec54%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, February 28, 2018 at 7:10:33 PM UTC+1, Braden wrote: > On Wednesday, February 28, 2018 at 12:50:23 PM UTC-5, Unman wrote: > > On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote: > > > On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote: > > > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > > > Performing some modifications to dom0, but when I run apps like wget > > > > > from dom0 terminal I am unable to resolve addresses. Same if I were > > > > > to try running firefox from dom0. Know this is because of security > > > > > benefits, but how can I enable networking from there. Say I wanted to > > > > > connect to dom0 from a vnc temporarily. > > > > > > > > > There's almost never any need to do this. If you want to install > > > > packages you can use the update mechanism. Otherwise download files in a > > > > qube and then copy them in to dom0 and install them there. > > > > If dom0 is compromised then all your qubes are open. > > > > > > > > But you probably know this already. > > > > > > > > As things stand it's difficult, but not impossible to access dom0. You > > > > could open a channel to allow vnc to a qube and use socat and an rpc > > > > service to front to dom0. But really just dont do it: it subverts the > > > > whole point in using Qubes. > > > > > > btw, isn't it possible that he can use the Qubes 4 dom0 admin features to > > > make changes to VM's from a remote location? Could the solution be to > > > upgrade to Qubes 4 and use that instead? I haven't yet went > > > discovering/understood the limitations of the Qubes 4 dom0 admin tools, > > > but isn't this a perfect match to his goal if he upgrades? Apologies if I > > > misunderstood how the dom0 admin features work, I haven't started using > > > it my self yet. > > > > > > > Yes, it is. > > OP could read this post > > https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ > My hardware is only 3.2 supported rn as you guessed, suppose I could explore > the unique service idea, is there anything similar on *nix >From a security point of view, Qubes 4 is probably long past the point to >surpass the security risk there is to opening up dom0 to networking (if >comparing the two situations purely from a security risk point of view). So if >you got the time for it, it might be worth it to install Qubes to gain access >to the dom0 admin tools. In terms of reliability, well personally I feel Qubes >4 is pretty stable, I haven't had any major issues. But they're still working >on it, though, I believe it's because they want it to as perfect as possible. >It's very different from being ready to release, and to release something near >a perfection goal. Well obviously perfection is a dangerous word to use, but >it can translated into high quality instead. That's how I perceive it at >least. If you got the time, it may be worth upgrading. Perhaps others may put in a word for how ready they perceive Qubes 4 is for productivity and mission critical work. Since it isn't officially released as as a final release yet, the more views on this matter, the merrier and more accurate it'll be. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be1bf8de-b80e-46ab-b0c0-5e20e89eb281%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, February 28, 2018 at 12:50:23 PM UTC-5, Unman wrote: > On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote: > > On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote: > > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > > Performing some modifications to dom0, but when I run apps like wget > > > > from dom0 terminal I am unable to resolve addresses. Same if I were to > > > > try running firefox from dom0. Know this is because of security > > > > benefits, but how can I enable networking from there. Say I wanted to > > > > connect to dom0 from a vnc temporarily. > > > > > > > There's almost never any need to do this. If you want to install > > > packages you can use the update mechanism. Otherwise download files in a > > > qube and then copy them in to dom0 and install them there. > > > If dom0 is compromised then all your qubes are open. > > > > > > But you probably know this already. > > > > > > As things stand it's difficult, but not impossible to access dom0. You > > > could open a channel to allow vnc to a qube and use socat and an rpc > > > service to front to dom0. But really just dont do it: it subverts the > > > whole point in using Qubes. > > > > btw, isn't it possible that he can use the Qubes 4 dom0 admin features to > > make changes to VM's from a remote location? Could the solution be to > > upgrade to Qubes 4 and use that instead? I haven't yet went > > discovering/understood the limitations of the Qubes 4 dom0 admin tools, but > > isn't this a perfect match to his goal if he upgrades? Apologies if I > > misunderstood how the dom0 admin features work, I haven't started using it > > my self yet. > > > > Yes, it is. > OP could read this post > https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ My hardware is only 3.2 supported rn as you guessed, suppose I could explore the unique service idea, is there anything similar on *nix -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e82e49e9-823a-4b81-8e85-db14b5edb6ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, February 28, 2018 at 6:51:14 PM UTC+1, Braden wrote: > On Wednesday, February 28, 2018 at 12:50:17 PM UTC-5, Braden wrote: > > On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote: > > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > > Performing some modifications to dom0, but when I run apps like wget > > > > from dom0 terminal I am unable to resolve addresses. Same if I were to > > > > try running firefox from dom0. Know this is because of security > > > > benefits, but how can I enable networking from there. Say I wanted to > > > > connect to dom0 from a vnc temporarily. > > > > > > > There's almost never any need to do this. If you want to install > > > packages you can use the update mechanism. Otherwise download files in a > > > qube and then copy them in to dom0 and install them there. > > > If dom0 is compromised then all your qubes are open. > > > > > > But you probably know this already. > > > > > > As things stand it's difficult, but not impossible to access dom0. You > > > could open a channel to allow vnc to a qube and use socat and an rpc > > > service to front to dom0. But really just dont do it: it subverts the > > > whole point in using Qubes. > > > > Fair enough, suppose will copy the package to dom0 and then install my vnc > > server there, but would the firewall refuse to allow connections just like > > how firefox and wget refuse in dom0? > > Only need VNC client connections working that is Is VNC capable of something that can't be done with the Qubes 4 dom0/admin tools? Just curious, maybe it can be solved. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0f68731-3750-4ad4-bc00-d8b193b770f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wed, February 28, 2018 5:53 pm, Unman wrote: > > By design dom0 has no networking. > If you MUST break Qubes , and you cant use the admin features in 4.0 > (see my last post),then you'll have to use some service to pass data in > and out of dom0 WITHOUT networking. Another option for remote access might be a TCP/IP based hardware KVM, or equivalent built in to your computer already like IPMI or DRAC. Obviously, Qubes can't provide any security beyond a screensaver password from an attack using those. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a79d274a6d4760d691f20c236232627.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wed, Feb 28, 2018 at 09:50:17AM -0800, Braden wrote: > On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote: > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > Performing some modifications to dom0, but when I run apps like wget from > > > dom0 terminal I am unable to resolve addresses. Same if I were to try > > > running firefox from dom0. Know this is because of security benefits, but > > > how can I enable networking from there. Say I wanted to connect to dom0 > > > from a vnc temporarily. > > > > > There's almost never any need to do this. If you want to install > > packages you can use the update mechanism. Otherwise download files in a > > qube and then copy them in to dom0 and install them there. > > If dom0 is compromised then all your qubes are open. > > > > But you probably know this already. > > > > As things stand it's difficult, but not impossible to access dom0. You > > could open a channel to allow vnc to a qube and use socat and an rpc > > service to front to dom0. But really just dont do it: it subverts the > > whole point in using Qubes. > > Fair enough, suppose will copy the package to dom0 and then install my vnc > server there, but would the firewall refuse to allow connections just like > how firefox and wget refuse in dom0? > By design dom0 has no networking. If you MUST break Qubes , and you cant use the admin features in 4.0 (see my last post),then you'll have to use some service to pass data in and out of dom0 WITHOUT networking. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180228175308.z6tkj4poeopfxmke%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, February 28, 2018 at 12:50:17 PM UTC-5, Braden wrote: > On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote: > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > Performing some modifications to dom0, but when I run apps like wget from > > > dom0 terminal I am unable to resolve addresses. Same if I were to try > > > running firefox from dom0. Know this is because of security benefits, but > > > how can I enable networking from there. Say I wanted to connect to dom0 > > > from a vnc temporarily. > > > > > There's almost never any need to do this. If you want to install > > packages you can use the update mechanism. Otherwise download files in a > > qube and then copy them in to dom0 and install them there. > > If dom0 is compromised then all your qubes are open. > > > > But you probably know this already. > > > > As things stand it's difficult, but not impossible to access dom0. You > > could open a channel to allow vnc to a qube and use socat and an rpc > > service to front to dom0. But really just dont do it: it subverts the > > whole point in using Qubes. > > Fair enough, suppose will copy the package to dom0 and then install my vnc > server there, but would the firewall refuse to allow connections just like > how firefox and wget refuse in dom0? Only need VNC client connections working that is -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/75ce23b7-1350-473c-b89c-2ceb75274e7c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote: > On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote: > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > > Performing some modifications to dom0, but when I run apps like wget from > > > dom0 terminal I am unable to resolve addresses. Same if I were to try > > > running firefox from dom0. Know this is because of security benefits, but > > > how can I enable networking from there. Say I wanted to connect to dom0 > > > from a vnc temporarily. > > > > > There's almost never any need to do this. If you want to install > > packages you can use the update mechanism. Otherwise download files in a > > qube and then copy them in to dom0 and install them there. > > If dom0 is compromised then all your qubes are open. > > > > But you probably know this already. > > > > As things stand it's difficult, but not impossible to access dom0. You > > could open a channel to allow vnc to a qube and use socat and an rpc > > service to front to dom0. But really just dont do it: it subverts the > > whole point in using Qubes. > > btw, isn't it possible that he can use the Qubes 4 dom0 admin features to > make changes to VM's from a remote location? Could the solution be to upgrade > to Qubes 4 and use that instead? I haven't yet went discovering/understood > the limitations of the Qubes 4 dom0 admin tools, but isn't this a perfect > match to his goal if he upgrades? Apologies if I misunderstood how the dom0 > admin features work, I haven't started using it my self yet. > Yes, it is. OP could read this post https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180228175017.pagkei4aq3xial7h%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote: > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > > Performing some modifications to dom0, but when I run apps like wget from > > dom0 terminal I am unable to resolve addresses. Same if I were to try > > running firefox from dom0. Know this is because of security benefits, but > > how can I enable networking from there. Say I wanted to connect to dom0 > > from a vnc temporarily. > > > There's almost never any need to do this. If you want to install > packages you can use the update mechanism. Otherwise download files in a > qube and then copy them in to dom0 and install them there. > If dom0 is compromised then all your qubes are open. > > But you probably know this already. > > As things stand it's difficult, but not impossible to access dom0. You > could open a channel to allow vnc to a qube and use socat and an rpc > service to front to dom0. But really just dont do it: it subverts the > whole point in using Qubes. btw, isn't it possible that he can use the Qubes 4 dom0 admin features to make changes to VM's from a remote location? Could the solution be to upgrade to Qubes 4 and use that instead? I haven't yet went discovering/understood the limitations of the Qubes 4 dom0 admin tools, but isn't this a perfect match to his goal if he upgrades? Apologies if I misunderstood how the dom0 admin features work, I haven't started using it my self yet. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ae2f8296-7702-4db2-a327-b73bda521016%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 connectivity for maintenance
On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote: > Performing some modifications to dom0, but when I run apps like wget from > dom0 terminal I am unable to resolve addresses. Same if I were to try running > firefox from dom0. Know this is because of security benefits, but how can I > enable networking from there. Say I wanted to connect to dom0 from a vnc > temporarily. > There's almost never any need to do this. If you want to install packages you can use the update mechanism. Otherwise download files in a qube and then copy them in to dom0 and install them there. If dom0 is compromised then all your qubes are open. But you probably know this already. As things stand it's difficult, but not impossible to access dom0. You could open a channel to allow vnc to a qube and use socat and an rpc service to front to dom0. But really just dont do it: it subverts the whole point in using Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180228173843.q24zbrs6csjrue7w%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Dom0 connectivity for maintenance
Performing some modifications to dom0, but when I run apps like wget from dom0 terminal I am unable to resolve addresses. Same if I were to try running firefox from dom0. Know this is because of security benefits, but how can I enable networking from there. Say I wanted to connect to dom0 from a vnc temporarily. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/431b70dd-8c1d-4cb8-aa7e-1c62fe17b6ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
