general/other Instant Workstation - Use FreeBSD in web browser

[thysol]

Most likely due to default UseDNS yes in /etc/ssh/sshd_config. Change defaults to no and try then (note sshd has to be restarted, or image redeployed in this case).

Thank you, your suggestion resolves the issue. I have updated the FreeBSD image on Instant Workstation with your fix.

He's forwarding VNC ports of given VMs (on host) to outside completely; VMs run on isolated network.

Indeed, the VNC server is running on the host and not inside the VM. However the SSH server is running inside the virtual machine. Connecting to the SSH server inside the virtual machine from outside is made possible by forwarding a certain host port (e.g. 35022) to port 22 (SSH) of the virtual machine. The virtual machine is isolated from the outside world using QEMU's restrict option. The restrict option can be selectively overridden which is described in more detail in the QEMU documentation. The Instant Workstation virtual machines use these QEMU networking parameters: -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::35022-:22,,smb=<some path>,restrict=yes

This seems to block everything except for the host SSHing into the guest and the guest being able to connect to the SMB share. I'm not a networking expert so not sure if this is totally foolproof but at least in my exploratory testing I was not able to circumvent these restrictions. SSHing from the guest into the host or other virtual machines running on the same host was blocked. Furthermore I was not able to mount an SMB share in the guest that was intended for a different virtual machine. Additionally I did not find a way to access the internet from within the virtual machine. Please let me know if there is a workaround to these restrictions.

 

[_martin]

As I said in my previous post, I do like this idea. While vagrant might be able to provide similar things the UI is what makes it better. And I absolutely love the upload/download UI for it. It has some nice features, it's intuitive and simple.

Now I was pumped by pwning RedHat's RHRE image recently /again/ and due to my pwn withdrawals .. look ma, host machine!

root@Debian-bookworm-latest-amd64-base ~ #  uname -a
Linux Debian-bookworm-latest-amd64-base 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
root@Debian-bookworm-latest-amd64-base ~ #

So nice to meet you HB.

Please send me a message here on forums, we can meet on IRC, I'll let you know how.

Now, while I can tell you I didn't do anything, and it is true, you know what they say to about hacked machine .. (never trust it!).

 

[astyle]

Thank you, your suggestion resolves the issue. I have updated the FreeBSD image on Instant Workstation with your fix.


Indeed, the VNC server is running on the host and not inside the VM. However the SSH server is running inside the virtual machine. Connecting to the SSH server inside the virtual machine from outside is made possible by forwarding a certain host port (e.g. 35022) to port 22 (SSH) of the virtual machine. The virtual machine is isolated from the outside world using QEMU's restrict option. The restrict option can be selectively overridden which is described in more detail in the QEMU documentation. The Instant Workstation virtual machines use these QEMU networking parameters: -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::35022-:22,,smb=<some path>,restrict=yes

This seems to block everything except for the host SSHing into the guest and the guest being able to connect to the SMB share. I'm not a networking expert so not sure if this is totally foolproof but at least in my exploratory testing I was not able to circumvent these restrictions. SSHing from the guest into the host or other virtual machines running on the same host was blocked. Furthermore I was not able to mount an SMB share in the guest that was intended for a different virtual machine. Additionally I did not find a way to access the internet from within the virtual machine. Please let me know if there is a workaround to these restrictions.

Ever hear of principle of least privilege?

You start by blocking absolutely EVERYTHING, and then only open the ports you actually need (SSH, VNC, HTTP, whatever).

But your systems... They do sound pretty open. If you close off a port at random and then discover that you cannot mount an SMB share, that means nothing. That same closed-off port/subnet/network interface can also block off lots of other things. And debugging firewall issues is a major headache even for professionals - even if they know how to spot config mistakes.

I realize I'm splashing some cold water on what's frankly not a bad idea...

 

[thysol]

And I absolutely love the upload/download UI for it. It has some nice features, it's intuitive and simple.

Credit for the file upload/download UI goes to the filebrowser project.

Please send me a message here on forums, we can meet on IRC, I'll let you know how.

Thank you for reporting the vulnerability and helping to fix it. As stated in my first post this website is still in early stages and there are probably some bugs, and it seems some vulnerabilities too. Work on this website continues.

Edit: I've now enabled the file/folder upload/download feature in FreeBSD. To access uploaded files/folders you need to run "smbclient -N //10.0.2.4/qemu" in the virtual machine. Then type help if unsure how to use smbclient. I tried using mount_smbfs to mount the SMB share however it always fails with "mount_smbfs: unable to open connection: syserr = RPC struct is bad". Not sure why it works with smbclient but not with mount_smbfs.

 

[grahamperrin]

<https://forums.freebsd.org/threads/50-years-of-unix.81907/> blasts from the past:

WelCOM to UNIX 50!

If web access doesn't work, try ssh …

SDF Public Access UNIX System presents ...

   /~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/
   /~/~ H Y S T E R I C A L ~ U N I X ~ S Y S T E M S ~/~/
   /~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/~/

    [a]  UNICS (Version Zero)   PDP-7       Summer   1969
    [b]  First Edition UNIX     PDP-11/20   November 1971
    [c]  Fifth Edition UNIX     PDP-11/40   June     1974
    [d]  Sixth Edition UNIX     PDP-11/45   May      1975
    [e]  Seventh Edition UNIX   PDP-11/70   January  1979
    [f]  Research UNIX 8        VAX-11/750           1984
    [g]  AT&T UNIX System III   PDP-11/70   Fall     1982
    [h]  AT&T UNIX System V     PDP-11/70            1983
    [i]  AT&T UNIX System V     3b2/400              1984
    [j]  4.3 BSD                MicroVAX    June     1986
    [k]  2.11 BSD               PDP-11/70   January  1992
    [w]  What's running now?
    [q]  QUIT (and run away in fear!)

    User contributed tutorials are at https://sdf.org/?tutorials/unix50th
    Want persistent images? networking? more ttys? Join https://sdf.org

Your choice?

(A few running since 2023.)