Re: [qubes-users] How do I install packages to a template over a VPN?
I had done that in the past in another scenario. Turns out my employer's idea of a secure workstation and the separate firewall VM do not mesh. There were several ways it failed my employer's security checks, but then they're expecting a standalone system or a standalone VM at most. On Fri, Jul 1, 2016 at 3:39 AM Marek Marczykowski-Górecki < marma...@invisiblethingslab.com> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Thu, Jun 23, 2016 at 10:29:16PM -0700, Andrew David Wong wrote: > > On 2016-06-23 12:03, James Ward wrote: > > > I'm reinstalling to clean up all the experimenting I did yesterday > > > just to get a fresh start, but I do have one more question I can't > > > seem to find the answer to. How do I make the default user the > > > same as dom0 (i.e. jeward in my case)? I regularly ssh into other > > > system as jeward and this would just be so much more convenient > > > than "user". > > > > > > > Not certain about this, but I think "user" might be hardcoded. Maybe > > someone else knows of a way to change it without breaking stuff, but > > I'm not personally aware of one. > > Unfortunately it is hardcoded in many places. But you can configure ssh > to use a different one by default: > > .ssh/config: > > Host * > User jeward > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJXdkh1AAoJENuP0xzK19csi3MH/3rlP3tmjKDgfLQy5i9e7eg7 > 2cRidy4E510phN95b7C9XTjf2Y3JJByqBIr744NqLobowtUQRnmxsEQRnLf3cZ4z > m5qthPN0CoI9GcMr6AgipP3N/CDz1tDhPyK7toK8qo54Bhi/Zxz4GWUT6ivKfBVS > Sz+JLIDexOlZqdZTKTiE6jVsuToHIuxU6hlPgGQFNIM8/cnJn/3sqOgiYDpWDXV0 > bMghMT+6keh1A4L4VxrPjg0dTMXLUG7aD6fypaSQNFbKAXTuv+wwuXKrZac12MsS > gyDf5hZv4+fD4Utn0grGGN2f4/rgOc69mgm5kfSUk6oD3zrOI/2MAUK6GSqNNyY= > =Gncj > -END PGP SIGNATURE- > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CADmwtgCfg3ztnAcpdu8UpdxTyeT6BH%3DVRuiE7MtBwZxBfZtaeg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jun 23, 2016 at 10:29:16PM -0700, Andrew David Wong wrote: > On 2016-06-23 12:03, James Ward wrote: > > I'm reinstalling to clean up all the experimenting I did yesterday > > just to get a fresh start, but I do have one more question I can't > > seem to find the answer to. How do I make the default user the > > same as dom0 (i.e. jeward in my case)? I regularly ssh into other > > system as jeward and this would just be so much more convenient > > than "user". > > > > Not certain about this, but I think "user" might be hardcoded. Maybe > someone else knows of a way to change it without breaking stuff, but > I'm not personally aware of one. Unfortunately it is hardcoded in many places. But you can configure ssh to use a different one by default: .ssh/config: Host * User jeward - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXdkh1AAoJENuP0xzK19csi3MH/3rlP3tmjKDgfLQy5i9e7eg7 2cRidy4E510phN95b7C9XTjf2Y3JJByqBIr744NqLobowtUQRnmxsEQRnLf3cZ4z m5qthPN0CoI9GcMr6AgipP3N/CDz1tDhPyK7toK8qo54Bhi/Zxz4GWUT6ivKfBVS Sz+JLIDexOlZqdZTKTiE6jVsuToHIuxU6hlPgGQFNIM8/cnJn/3sqOgiYDpWDXV0 bMghMT+6keh1A4L4VxrPjg0dTMXLUG7aD6fypaSQNFbKAXTuv+wwuXKrZac12MsS gyDf5hZv4+fD4Utn0grGGN2f4/rgOc69mgm5kfSUk6oD3zrOI/2MAUK6GSqNNyY= =Gncj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160701103947.GB1323%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Zrubi, >> There is an issue with updating a template over a vpn: The >> intercepting updates proxy normally runs in sys-net, which can't >> see inside the encrypted vpn traffic. This may be a cause of the >> problem, however it should really only manifest if you are using >> yum/dnf; Programs like wget should be able to access the net OK >> if you've set the template's firewall setting to 'allow...'. > > I'm usually commenting out the yum/dnf proxy for such templates. in > case of fedora 23 /etc/dnf/dnf.conf You will find the qubes proxy > related line, comment out that line, and the update will be > successful. Or you can disable the updates-proxy-setup Qubes service for that template, which is responsible for adding the proxy setting to dnf and apt configuration when the template starts. Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJXbQziXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfH7sP/080TCPi9kfKe/mBFt94wSZc 9JPG+NhOqA6NclGECDtTmbgx4REddOofwSQRuIl+0uEsVtE9EdCMRR6DEgcK3fnc sgQNxC7/qb0CjqTy0BsLDrLkysQThyIzsGQKBTyJ1cQiRcBpwvxDEwda2IuGlzYi NgITZb9GQMFaxwTeKHKtH+mjKCMncmdHwXzNPCX61+1zjiTsukZU1NoExKUa0hGO 0t20gP3jRdVGCIXkQlosXcUKJwsUKhnU0lodJw56xBX+WpMA1PS8kvzGd2NQwv2a meXRgeZN/9aStHAgM3Gc52mNyIcEjmG+GUEFrN9DsFs/L9ALDL6NxL5UVm0qD7Cu S9RJop9AZ6aWs3b7CNgBvoteysqjfToRf7vaeYxSNg9DBdJMcntwq+NYy/pj4MPE jSXksHFT4YOzUZJfmRXqLU31BeoEJrKOBpjgADNG38IfvLjSQy3k2cl5FyZ5t31H IKOSb9qQI1uJs44ld9bWdtCdBl+VtPyi/Qkr1CdRbjJi6VN1TJhORofk+QL/ZDOU rNDDB7KeCQzTx5ue6pCYWxnQ0GoYGTmUKpm52JcHhw98B2o/vm0Di45Q3/9ByXi5 Jgjm/NltHjtyp7GUsr0e7uXVt1YYUW4LcZ4jBthj03lkM9KVb9F/YPGEBfr3V6Sd 34idW/Amhqk6OZcKuGx6 =49Ep -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6f07479-e436-f473-df5a-392f029acd9a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-06-23 12:03, James Ward wrote: > I'm reinstalling to clean up all the experimenting I did yesterday > just to get a fresh start, but I do have one more question I can't > seem to find the answer to. How do I make the default user the > same as dom0 (i.e. jeward in my case)? I regularly ssh into other > system as jeward and this would just be so much more convenient > than "user". > Not certain about this, but I think "user" might be hardcoded. Maybe someone else knows of a way to change it without breaking stuff, but I'm not personally aware of one. P.S. - Please avoid top posting. > On Thursday, June 23, 2016 at 9:16:56 AM UTC-7, Chris Laprise > wrote: >> >> There is an issue with updating a template over a vpn: The >> intercepting updates proxy normally runs in sys-net, which can't >> see inside the encrypted vpn traffic. This may be a cause of the >> problem, however it should really only manifest if you are using >> yum/dnf; Programs like wget should be able to access the net OK >> if you've set the template's firewall setting to 'allow...'. >> >> Another thing to look out for when using qubes-setup-dnat-to-ns >> is that it needs the vpn-specific nameservers entered into >> /etc/resolve.conf (in the vpn vm) before its run. This has to be >> done each time the vpn vm boots, unless you change it in the >> template. >> >> In my previous message, I mentioned you could download the >> packages in an appvm then transfer them to the template vm for >> installation. Another possible solution is to create a Standalone >> appvm: It will permanently accept installed programs and also be >> able to access the net like a template-based appvm. >> >> Chris >> - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXbMUrAAoJENtN07w5UDAwUyMQANCOqvog+eFBkAXYOZQF5y7b 5t6B9WNLsU+Z1DeoffHlY/FkHAl7UV30uPMxuvDG5Mpstaw+tJqg+C3Oh0knUPVz Y3EurFF0hnGsaamkPen+U4v6i5w+2b3QyyxX3P58kV8yIva5DC/l0tL4bFzY5z1D pex3FrUR8Lajm7JipMpHLluISg6yManh2FbrmVbIMQ5IadZ3PFeV2XbxViod/tjF onaZr+6/+/jrd3fDjryABsSC1Z4K91F12yjMobEsv5woxOi0yB4U+LUFCd+8HR7s mgaW/UoxXzIQgA+Zzgx8Ymuy4Jqk/flIBsGt/dJ9CL01rt/GvglP6bKTBnyj4e0r VsgB4fEBcZ+FSiRugo79diTSZYGr91z3/OiJ1fUh6JHew/G1YcscZwl7oYgUpTSz hoXn8uBLpfMs6Ki08YGBAWgufb6ejJ3Fnpb+LEavByvFnJR/WYqf5EGurtdkmTqI wkpAswiOvtf6BpAFrqINBvEQMIHYNb0sPe0qtJPzK3asBr5SIk5Trx9svShcvrhz e84/ALhUvXLZHbsN9XH+R0LTyhjiArCmpyblUPOG+Xb6Fk+D5MH7ogTUEZNJ3ZlI rmu83Omzgn+sNBnykr2RNXo7Z6hKrzHmMUBmLIZi+qQXcS2uu2LsAM/D0sRLaDRU DB9w8tPaHTP+IRLbBI4n =jngm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4e4ed73-6723-f85f-c6a3-927daa753082%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/23/2016 06:16 PM, Chris Laprise wrote: > There is an issue with updating a template over a vpn: The > intercepting updates proxy normally runs in sys-net, which can't > see inside the encrypted vpn traffic. This may be a cause of the > problem, however it should really only manifest if you are using > yum/dnf; Programs like wget should be able to access the net OK if > you've set the template's firewall setting to 'allow...'. I'm usually commenting out the yum/dnf proxy for such templates. in case of fedora 23 /etc/dnf/dnf.conf You will find the qubes proxy related line, comment out that line, and the update will be successful. - -- Zrubi -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXbE+JAAoJEC3TtYFBiXSvl+IP/iL4KkBq5/liHyKfS0KlTcCv 8PsiLfIZ901cWDk/oTZXtUMO0IPhdx4Jm0RYYe4TOqNGyDm5rqAPx5BOTp9Voixp 4Y/Ecxfikp8ZwsK/xs07UorL3QNnFRzgrM5zk/AfJ8ztyDwXsYQ3MBP6h1HA78Zf I5d4OSJsMPXCIL8NX1sMOJE8qxwnWbCTnFVSYdF8R7PwCBlQyla8V+zOHXiJ0AaK 8bfqE/xw79SahOhs7RTYRykGtbswdjD8JxKGSoHPBK/MozkqeeBBQZ772XBORFxZ y5ldAgiQJDb2MvIXHMzP+UnB8DYpOjOwKo8/xdXEq2O5mSgoC3ccqTkIbP7HhOxA MwEBzSsz8e32c7QVaZK16mBdh4mrTIJk3hI8ARJR1GkE+OIQ4Vaf5/jJjCjsgRGh M2809aLRr0xJBPddoA20NbVb0/8jmafaD9NNmWZSYdZG4NUvUMM8tZLG3fkDWXjo qWg0Qp7EZscvWARNObMuD35Peek8p0N294y37WdfhpYQEnvlDfMaIxFqP/egYOjv J4s7McN6EN6ZBFUOe8RpRJKL6ZckkWCqX4GBInk4eXGVjfPguCkeElStDZBzVjC/ ReG9LL7RThblU6X+ikeqnhKDALiurXu7qR1pojSipYyNRLZ7YLzyXy/DJ+lum8kO y3wDi9k3kC5ADL03Yrif =4xyN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c131abc4-3f49-42f6-b9aa-3a59c439bd3a%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
I'm reinstalling to clean up all the experimenting I did yesterday just to get a fresh start, but I do have one more question I can't seem to find the answer to. How do I make the default user the same as dom0 (i.e. jeward in my case)? I regularly ssh into other system as jeward and this would just be so much more convenient than "user". On Thursday, June 23, 2016 at 9:16:56 AM UTC-7, Chris Laprise wrote: > > There is an issue with updating a template over a vpn: The intercepting > updates proxy normally runs in sys-net, which can't see inside the > encrypted vpn traffic. This may be a cause of the problem, however it > should really only manifest if you are using yum/dnf; Programs like wget > should be able to access the net OK if you've set the template's > firewall setting to 'allow...'. > > Another thing to look out for when using qubes-setup-dnat-to-ns is that > it needs the vpn-specific nameservers entered into /etc/resolve.conf (in > the vpn vm) before its run. This has to be done each time the vpn vm > boots, unless you change it in the template. > > In my previous message, I mentioned you could download the packages in > an appvm then transfer them to the template vm for installation. Another > possible solution is to create a Standalone appvm: It will permanently > accept installed programs and also be able to access the net like a > template-based appvm. > > Chris > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b62f762-7c1e-40de-a91e-7cc4f9b7c5c3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
Standalone Appvm sounds like the way to go. I'll look for instructions! Thanks! On Thursday, June 23, 2016 at 9:16:56 AM UTC-7, Chris Laprise wrote: > > There is an issue with updating a template over a vpn: The intercepting > updates proxy normally runs in sys-net, which can't see inside the > encrypted vpn traffic. This may be a cause of the problem, however it > should really only manifest if you are using yum/dnf; Programs like wget > should be able to access the net OK if you've set the template's > firewall setting to 'allow...'. > > Another thing to look out for when using qubes-setup-dnat-to-ns is that > it needs the vpn-specific nameservers entered into /etc/resolve.conf (in > the vpn vm) before its run. This has to be done each time the vpn vm > boots, unless you change it in the template. > > In my previous message, I mentioned you could download the packages in > an appvm then transfer them to the template vm for installation. Another > possible solution is to create a Standalone appvm: It will permanently > accept installed programs and also be able to access the net like a > template-based appvm. > > Chris > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3fcde457-dadf-4c75-87d9-2e554fc8d8ac%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
There is an issue with updating a template over a vpn: The intercepting updates proxy normally runs in sys-net, which can't see inside the encrypted vpn traffic. This may be a cause of the problem, however it should really only manifest if you are using yum/dnf; Programs like wget should be able to access the net OK if you've set the template's firewall setting to 'allow...'. Another thing to look out for when using qubes-setup-dnat-to-ns is that it needs the vpn-specific nameservers entered into /etc/resolve.conf (in the vpn vm) before its run. This has to be done each time the vpn vm boots, unless you change it in the template. In my previous message, I mentioned you could download the packages in an appvm then transfer them to the template vm for installation. Another possible solution is to create a Standalone appvm: It will permanently accept installed programs and also be able to access the net like a template-based appvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c769cf1b-7ef9-d941-fa26-50bfc1edf321%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
On 06/22/2016 05:50 PM, james.e.w...@gmail.com wrote: My employer supports Fedora as a workstation OS, but it requires a lot of software be applied and that software must be obtained over their VPN. What I have tried: 1. clone fedora-23 to OCfedora-23 2. download two VPN rpms from a VM and copy them over to the OCfedora-23 template 3. install and configure VPN on the OCfedora-23 template Now this all works great. I can connect to the work VPN on the template, but I am unable to install my employer's software onto the template. Bear in mind, I can install the same software into a VM based off the template, but would have to reinstall/reregister the VM (with my employer) on every boot. I set up the VPN in a proxy VM and run qubes-setup-dnat-to-ns and directed the template to use that to no avail. Template net access is generally blocked, except it can access normal software repositories through the Qubes update proxy. So if your employer doesn't have a repo to add to your template's /etc/yum.repos.d then you'll have to go around it. You've already supplied a hint to one possible solution: Create a new appvm connected to the vpn vm, then grab all the rpm files you need using wget or similar. Then qvm-copy those rpm files into the template vm and use 'dnf rpmfolder/*rpm' to install them. Another way is to go into the template's firewall settings and temporarily enable all access for 5 min. and install directly into the template. Software install times out on dnf install from an http://site.on.the.vpn. I tried a wget and it also times out. There's something different about a template that prevents this as the same installation script works fine on a VM based on the same template. Can someone tell me what this is? Thanks in advance, James Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7668a57e-2f57-28f5-7729-9fb1f28b4065%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How do I install packages to a template over a VPN?
My employer supports Fedora as a workstation OS, but it requires a lot of software be applied and that software must be obtained over their VPN. What I have tried: 1. clone fedora-23 to OCfedora-23 2. download two VPN rpms from a VM and copy them over to the OCfedora-23 template 3. install and configure VPN on the OCfedora-23 template Now this all works great. I can connect to the work VPN on the template, but I am unable to install my employer's software onto the template. Bear in mind, I can install the same software into a VM based off the template, but would have to reinstall/reregister the VM (with my employer) on every boot. I set up the VPN in a proxy VM and run qubes-setup-dnat-to-ns and directed the template to use that to no avail. Software install times out on dnf install from an http://site.on.the.vpn. I tried a wget and it also times out. There's something different about a template that prevents this as the same installation script works fine on a VM based on the same template. Can someone tell me what this is? Thanks in advance, James -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fbc140cc-94e4-4218-8095-3a73d346296f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
