[SOLVED] How to connect remote with ssh public key?

[carsten2]

I have a backup server which can reach a remove server via ssh and public key authentifcation when logged in as root (using an alias in .ssh/config).
When I start a sync job however it gives an error, that the server is not reachable. Does it not use ssh to connect? With which user is the sync job running?

 

[t.lamprecht]

Does it not use ssh to connect?

No ssh is used, only the HTTPS API. Just ensure that TCP port 8007 is reachable.

With which user is the sync job running?

A sync job uses a "remote", a remote is a combination of IP/host address and user credentials.
So the user which you set for the remote you configured for a sync job is used.

 

[H4R0]

afaik sync uses https on port 8007

 

[carsten2]

Thanks. Some questions about security (PBS is installed on a proxmox server):
1) The cert fingerprint is used to ensure the remote identity, only correct?
2) Is fingerprint is from the public visible certificate?
3) If port 8007 is open to the public, the password is the only means to protect from unauthorized access?

I ask because the internal passwords are often not strong enough to protect an internet resource. E.g. with ssh I use shorter passwords for access from the local LAN but disable passwords for WAN and use public key authentication instead, which is much safer.

 

[t.lamprecht]

The cert fingerprint is used to ensure the remote identity, only correct?

Exactly, it's for avoiding a man-in-the-middle attack, if one can redirect the hostname or get somehow else between you and the server.
For self-signed certs this is required, you could omit it for certificates trusted by the system, if you want.

2) Is fingerprint is from the public visible certificate?

Yes, as you can verify by using your web-browsers certificate information and compare it with the one from the overview "Show Fingerprint" helper.

3) If port 8007 is open to the public, the password is the only means to protect from unauthorized access?

If you do not further protect it, then yes. You can always do things like fail2ban, firewall it off for known OK src/dst IPs (for sync jobs, just fine), not using root but a more limited user for stuff like backups, remote-syncs...
https://pbs.proxmox.com/docs/administration-guide.html#access-control

I ask because the internal passwords are often not strong enough to protect an internet resource. E.g. with ssh I use shorter passwords for acces from the local LAN but disable passwords for WAN and use public key authentication instead, which is much safer.

Why not simply set a strong password then? Comparisons between asymmetric and symmetric encryption are hard to do right and in a meaningful way, but there no reason to believe that, for example, a 64 byte (512 bit) symmetric used password is weaker than a 4096 bit asymmetric RSA key - especially for automatic scheduled things like remote syncs, where the private key cannot be additionally encrypted symmetrically like it's often done with SSH.

Rather one should use the planned features of TFA for interactive and powerful users, and API tokens with minimized permissions for non-interactive uses.

FWIW: if you really want, you can use SSH or wireguard to establish an asymmetric key protected tunnel between two servers and do everything through them.

 

[carsten2]

Is it possible to change the remote port from 8007 to something else? Can it be specified anywhere (e.g. hostname : port)?

 

[ph0x]

Why would you want to do this? There is absolutely no benefit in changing a port.

 

[carsten2]

Why would you want to do this? There is absolutely no benefit in changing a port.

The remote server is behind a firewall but public key SSH access is possible, so I could set up an simple SSH tunnel with

ssh -L 9007:localhost:8007 remoteserver

to forward connections to "localhost port 9007" to the "remote host port 8007" and then specificy "localhost:9007" as the remote host on the local PBS.

I cannot use port 8007 on the local PBS, because this port is already taken by the local PBS itself.

You can always do things like fail2ban, firewall it off for known OK src/dst IPs

fail2ban needs a parser for each specific application. Is there one provided for PBS? The ip solution is not possible because of dynamic IP on the local PBS.

 

[carsten2]

Does anyone have a suggestion how to use PBS over a SSH tunnel?

 

[DerDanilo]

Does anyone have a suggestion how to use PBS over a SSH tunnel?

Sshuttle

 

[carsten2]

Sshuttle

Thanks for this interesting software tip, and I will try.

However it would prefer to only open the one neccessary port to the remote PBS not the whole network. For this I need to change the remote port from 8007 to something else. Any suggestion how to do this?

 

[t.lamprecht]

Or just do a local forwarding tunnel: ssh -L 8007:localhost:8007 user@pbs-host

 

[carsten2]

Or just do a local forwarding tunnel: ssh -L 8007:localhost:8007 user@pbs-host

This is not possible because the local port 8007 is already taken by the local PBS. Therefore the local port must be different,
ssh -L 8008:localhost:8007 user@pbs-host
But not it is not possible to specficy localhost:8008 in the remote host in PBS, because the port 8007 seems to be fixed. It should be possible to specify the remote port in the remote host specification.

 

[carsten2]

Sshuttle

Works fine. Very nice tool. Standard port forwarding with ssh does not work, because it needs a local port different from 8007, which cannot be specificied in PBS. With sshuttle however, it is very eas,y the remote host is specified with its remote internal lan IP, so port 8007 can be used.

 

[DerDanilo]

Or just do a local forwarding tunnel: ssh -L 8007:localhost:8007 user@pbs-host

Will it be possible to specify the sync target/source PBS port?