Hello, I need help with my SSH tunnel to monerod

Following this guide: github.com/jonathancross/jc-docs/bl…sh_tunnel_to_full_node.md#hardening

I'm getting monerotunnel⊙111: Permission denied (publickey)

Confirmed that I imported the correct RSA key to ~/.ssh/authorized_keys on the node server

and did "sudo service restart ssh"

check the logs, /var/log/auth.log or so

probably the permissions on ~/.ssh are wrong. logs will tell you, if so

ndorf: on the server or the client?

Authentication refused: Bad ownership

of authorized keys file

yep

so I just set allow all users to read the file

right?

the owner must be the user or root

probably your regular user owns it now? that's not allowed

IOW: if you followed the guide exactly, the file and dir must be owned by sshtunnel or root.

if root, then you also have to ensure that sshtunnel can *read* it, otherwise you'll get a different error.

right now, the reason sshd is complaining is that some third user can write to the file.

ndorf, I used sudo su to write the key to authorized_keys and i'm still getting auth error...

nevermind, new error message

deprecated RSAghost

ls -ld ~sshtunnel/.ssh ~sshtunnel/authorized_keys

oh.

what exactly does it say?

ndorf

ndorf: Aug 30 19:58:38 node-P5QL-PRO polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.gtk.vfs.file-operations for unix-process:1685:13867 [nemo /home/node] (owned by unix-user:node)

oh gosh, i don't know about that one, sorry

Aug 30 19:59:26 node-P5QL-PRO sshd[4291]: Connection closed by authenticating user tunnel 192.168.1.26 port 51952 [preauth]

polkit and gvfs are evil. lol

fark

this is clean install as well

which distro?

linux mint 20

but i updated all the packages

so ubuntu basically...

did you try connecting as a normal user, without all the hardening steps?

not yet

that might help narrow it down. you can create a temp one and then delete after

Okay, Ijust did

connect to a normal user

it worked

now I tried to connect as the tunnel user and I get an auth error that the RSA key changed

so I'll try to sort that one out first

ok permission denied again...

the host key? you're getting "man in the middle" warning?

yeah

that's weird, assuming you didn't just regenerate those

ndorf: Logged into a non-existent server

oops

user***

so it was from before my fresh install

ah, ok

Aug 30 20:05:58 node-P5QL-PRO sshd[4551]: Connection closed by authenticating user tunnel 192.168.1.5 port 42620 [preauth]

that's the freshest one

still "Permission denied (public key)"

any others from polkitd aside from the one you already posted?

ah. i must connect to correct port

at 18081 oops lol

because I did the hardening

can't just do regular ssh

well, i don't think that's it, because authentication needs to succeed first in any case

Oh shit, I was executing those command while ssh'd as regular user lol

well that explains a lot

which?

normal user on the remote node

i was trying to ssh into itself

oops. so does it work the right way?

let me restart my machine first

my client

is it a windows box or something? lol

Aug 30 20:10:25 nodlr-P5QL-PRO sshd[4746]: Connection closed by authenticating user nodetunnel 192.168.1.26 port 51990 [preauth]

Nah, linux mint as well

I don't use Windblows for crypto unless I have a hardware wallet

Aug 30 20:10:25 node-P5QL-PRO sshd[4746]: Connection closed by authenticating user tunnel 192.168.1.26 port 51990 [preauth]

port should be 18081 not 51990

hardening blocks all ports for traffic except 18081

nah, that's the source port for the ssh connection

it's just random

so aside from that message, are there any others?

still getting the stuff from polkitd? any other messages from that service?

nope

Just Aug 30 20:10:25 node-P5QL-PRO sshd[4746]: Connection closed by authenticating user tunnel 192.168.1.26 port 51990 [preauth]

with an ever increasing port number

with increasing attempts

yep that's fine

so there is nothing except this connection closed now?

can you try running the client with -v option?

ssh -v ...

permission denied with a bunch of logs

you can use paste.debian.net or similar to paste a bunch of logs

just look them over for anything sensitive first

ndorf: paste.debian.net/hidden/8867dcf1

It is set to block traffic except for 18081 so default 22 port probably won't work

I wrote a script that worked before and it doesn't work anymore :/

because of the public key auth denied

hey, sorry

port 22 is definitely not blocked, since you can see your client connects and tries a few keys before giving up

ls -ld ~sshtunnel/.ssh ~sshtunnel/authorized_keys ~sshtunnel

^ can you do that so we can rule out all the permissions at once

ls -ld ~nodetunnel/.node ~nodetunnel/authorized_keys ~nodetunnel

ndorf: Done that and restarted ssh service

still public auth key

Aug 30 21:03:16 nodlr-P5QL-PRO sshd[5900]: Connection closed by authenticating user nodetunnel 192.168.1.26 port 39014 [preauth]

what is the output of the ls command? should be 3 lines

on client or server?

on the server. this one 21:39 < ndorf> ls -ld ~nodetunnel/.node ~nodetunnel/authorized_keys ~nodetunnel

ls: cannot access '/home/nodetunnel/.node': No such file or directory

ls: cannot access '/home/nodetunnel/authorized_keys': No such file or directory

drwxr-xr-x 5 nodetunnel nodetunnel 4096 Aug 30 19:33 /home/nodetunnel

ndorf:

i'm using .ssh and .ssh/authorized_keys

so I did replace the correct lines

sorry, i don't know how i mangled the command

ls -ld ~nodetunnel/.ssh ~nodetunnel/.ssh/authorized_keys ~nodetunnel

ndorf: drwxr-xr-x 5 nodetunnel nodetunnel 4096 Aug 30 19:33 /home/nodetunnel

drwx------ 2 root root 4096 Aug 30 21:08 /home/nodetunnel/.ssh

-rw-r--r-- 1 root root 750 Aug 30 21:08 /home/nodetunnel/.ssh/authorized_keys

yeah

do this:

sudo chgrp nodetunnel ~nodetunnel/.ssh && sudo chmod 750 ~nodetunnel/.ssh

done

it should work now.

looks successful

so what was wrong? dumbed down

the 'nodetunnel' user could not read its own .ssh directory, it was readable only by root

and sshd changes to the target user before reading that file.

ah. because I created the file as root

not as nodetunnel

yes

it's better to have the file owned by root, in this case

so that only root can change it

but you need this extra step so that the original user can still *read* it

file *and* dir owned by root, i should say

freaking linux and it's permissions

oh wells

I was reading that I can just set some things but it's just better to adjust the permissions on the dir/file

hehe

like loosen up some security stuff

dunno why you'd want to loosen up any security stuff. you only need to get the permissions right once :)

btw, you can add two more options to the hardening config if you like jonathancross/jc-docs #16/files

it's the easier of the two. at a higher cost

"PermitListen none" and "PermitTTY no"

in sshd?

yup..

yes, under your Match User nodetunnel section

not that it isn't already hardened enough, but might as well

meh. only local users on the network can access it

I'm satisfied

yeah, this is already way more than good enough for that

thanks ndorf

you got it

Msg me your XMR address

not at all necessary, just glad to help

cool beans

I'm trying to support network by running node

and I got attacked because I left RPC open lol

they kept mining on my node

those bastards

oops, haha

Hope they enjoy those juicy 200h/s

not too bad a way to learn that lesson, honestly

at least they didn't get to your actual stuff

200h/s lol

Yeah it's a Q9550

It doesn't even support hardware AES lol

ouch

Yeah, I'm going to upgrade it slowly. Finally got my SSD in it today

i bought a rack server from ebay like that, xeon L5520 cpu

yeah, this is like a spare DDR2 Intel Core 2 Quad machine

fortunately the just barely better l5630 to replace it with are only $5 on ebay themselves :)

i got one of those in the closet

I don't keep any keys on my node server so they wouldn't be able to do anything i think

Like somehow redirect my transactions? I don't think that's really possible

yeah, not much

block your outgoing tx, sure, but only until you switch nodes

they could make you think you have a confirmed transaction from them that isn't real, probably

yeah, that would have to be an extremely specific attack lol

block my outgoing transactions, I would probably just spend some time to figure out how to get my node to work again

and restart monerod

I don't use 3rd party node and never used one for monero

diisssscoonneeeeeee ♪ ┗(＾0＾)┓ ♪

hey guys. I'm trying to use xmr.to, it's telling me "invalid monero amount", and that's all, any idea why it would be invalid?

"check amount data type" = ?

4,2 vs 4.2?

hm?

, or . as the decimal separator

might not even be an issue but only thing i came up with off the bat

yeah it's . - I copied the amount directly from my wallet and just pasted it in

is there maybe too many digits after the separater? there are 12

12 sired

how many subaddresses can an wallet handle ?

infinite

infinite -1 :P

what is also infitnite

i dont think thats true, theres a limit to how many you can access with the cli software at least

but, it would not decrease the performance of the wallet if we have alot fo subaddresses to check ?

im waiting for an update so i can access index 329502359024234634

I am making an payment processor, Im in doubt if I can just create one new subaddress for each transaction, or if I should reuse them after some time

2^32 accounts with 2^32 addresses each

MalMen: should not decrease performance, a lookup table is used

might increase required RAM

you can get quite far without any slowdown, but i only got into the tens of thousands when testing and not 329 quadrillion like azy

i generated that specific index, not every one up until that index

azy: to be clear, I meant "practically infinite"

it's unlikely any application will ever come close to the addressable limit

highly improbable

What about one specifically designed to try?

Only time is stopping it.

:P

yeah maybe i want to start at index a trillion and work backwards

i.ibb.co/wL0QppX/Untitled.png anyone know why this isn't working?

"invalid monero amount" soon as I click next

If you're going to ask questions about X and post a screenshot, don't hide the X. Unless you really don't want help.

I clicked 'use non java version' at the top, entered the xmr amount, and now I get a popup saying valid nearest amounts are the amount I entered but minus 3 or 4 of the last digits

removed the last 3, got to the next step

xmr.to doesn't like dust?

Looks like monero has been banned in Australia.

Link to a source?

Or just the vague delisting announcement?

I have yet to see any source for a governmental ban/regulation release

Doesn't mention Monero or cryptocurrency, but scanning now

oh this is that?

Its 2y old

Old links. From what I have read it the banks are debanking any exchange that trades monero in Australia

This doesn't seem in any way related to Monero or cryptocurrency for that matter

From what I see

Its about an encryption ban in general, which hasn't happened AFAIK

<duso "Old links. From what I have read"> Any link for that? I saw the one delisting announcement but nothing backing it up as of yet

Hmm

Confusing since they say things like this: "Exchanges that do not comply with the crackdown by either delisting all privacy coins or removing access to Australian traders by August 31 will be debanked." and yet say there isn't any official notive

*notice

So I'm not sure where they're getting that info

But interesting nonetheless

I remember when the Clinton admin tried to ban strong encryption in the 90's - everyone in the crypto industry just located elsewhere - Debian had split the distro into the "NON-US" versions - I wonder if that will happen with Australia

If Australia (a country notorious for violating technological access to privacy) is afraid of Monero then we're doing something right.

Although Verge being in the same list makes me chuckle, because obviously they have no real idea what they're doing

I still can't find any actual legislation relevant since 2018

So what regulation are they using to threaten debanking exchanges?

anyway, will have to use DEX's to buy in from now on. It's late, night all

what are they doing ? black magic ? lol

hm.

MalMen anicow

Not enough detail to worry ATM

exactly

thanks for the post

np!

Hey Guys! To all the javascript/react devs out there. hundehausen and I have gone through the pain of setting up monero-javascript with webpack to include react and tailwindcss. This setup process was tedious for us (we are also noobs and were only able to do it with expert help). But I thought i would dump the sekelleton here for everybody that wants to use it as a starting point.

why? well, react is awesome, so is monero, so is webassembly. monero-javascript gives you the option of creating CLIENT BASED BROWSER WALLETS. i.e. NON CUSTODIAL. how rad. Go nuts, i would love to see more react projects using monero wasm!!! github.com/AlexAnarcho/tipxmr

While I am at it: we are starting our OBS Livestream Bot here on github. github.com/hundehausen/tipxmr feel free to join in! Javascript and React is the most useful, but anybody familiar with Tailwindcss as a UI framework can contribute as well.

alexanarcho[m]: You linked the tip bot twice

@kayabaNerve no, one is my personal github, this is just the fork of the skelleton, i will not modify it. the other repo we will modify and extend to create the obs tipbot

Oh. Thanks for the clarification

np ;)

moneromooo, we need to raise the Monero tx fees for the miners. mETH miners are getting rich right now.

Monero miners want to be rich too.

Make a tx with a monero fee.

:D

> Ryan Taylor, the CEO of Dash — another privacy-oriented cryptocurrency — told Cointelegraph that there is a big difference between the DHS tracking Monero transactions versus personal transactions

lol scam

Aren't all transactions necessarily someones personal transactions?

Damn, I want to be CEO too!

Or do they cease to be personal when you're a dirty "criminal"

well, you see, money laundering is a crime

"You bunch of math criminals!"

"Quit hiding behind your math and cryptography and give over all your data to us"

Would it make any sense to add 'shielded pools' to monero, like in zcash? Or would it just not work with the present system?

what's the point?

You can sort of draw up a (very bad) txn graph as things are now

you couldn't do that with shielded pools, right?

There is no "unshielded pool" in Monero, so necessarily it's all "shielded"

It's just a different method of "shielding"

As shown in the recent Zcash "tracing", you can do the same sort of thing if you have enough external data

so you want more sender anonymity?

I'm not sure what you mean -- I want anonymity for both sender and receiver

Which is what we currently have, with some obvious nuance/caveats/risks as have been broken down at length in Breaking Monero and elsewhere

sethsimmons: Right, but zcash has a different kind - the anon set for the shielded pool (in theory) is all the users

whereas in monero, it's just your current ring size

In theory, and thats great if people both use it properly, and use it enough

But no one does either so it still leaks plenty of metadata to trace through

s/no one/few

The anon-set in Monero is not 11 as commonly shared/stated

It is also some sub-set of all users back along the chain of key images used in each ring signature

There isn't a set number because it depends on a lot of factors

But you gain anonymity set from each un-known decoy and all of the unknown decoys in the transaction graph up to that point for the decoy

If someone hacks and exchange and walks away with XMR 1 million, then what? They will know what txid it is, of course, and then those in the same ring will also be tainted

I'm not sure what you mean

If they get access to the hot wallet of an exchange and harvest the TX info?

Nothing would be tainted, as Monero is not interactive

You can have the decoy from a "bad" transaction without any interaction/choice

sethsimmons: If you steal a lot of money

and they know it was sent in transaction X

You're not actively choosing to participate with a "bad" user in any way

No, but they'll still be able to identify the stolen funds with accuracy ~ 1/11, no?

They can't tell if a key image/output is truly spent or not

If you transfer out money from an exchange wallet they know that those inputs are spent (if they recover the wallet after), but can't tell past that when funds are moved again, as they could just be decoys

realize that "anonymity set" is always relative to a starting point. if i send xmr from binance to my wallet, binance knows the true spending output, since it is their wallet. if i then send the xmr to somebody else, my anonymity set is 11 (as ring size is 11). the following tx has anonymity set of 121 (11x11) and so on. 11² essentially.

pls correct me if i m wrong, but it is impossible to tell the general anonymity set for a xmr tx

Thats the whole design of the system -- break any clear statistical/heuristic ties that let you say "this is 100% the true spend"

gotta love monero

really pumped for trypich or whatever its called

i don't think that's true

take any given transaction. you can walk "up" the chain of inputs as many times as you want

binance doesn't know if your output is really spent or not in a transaction you make

true

good point, so the chain can have my output as a decoy, but in reality it is still unspent

if you steal 1 million xmr, nobody will know just by looking at the chain. well maybe if you have tons and tons of inputs