By default, Whonix 18 does not allow SSH tunneling for VNC or Spice, preventing remote connections which used to work in Whonix 17. To replicate attempt to SSH into a VPS or server using 5901:localhost:5901 myuser@serverip after you have installed VNC or Spice on the VPS.
VNC and Spice are currently nonfunctional because SSH tunneling fails.
The xrdp package in the Debian repositories has a known vulnerability: security dot snyk dot io/ vuln/SNYK-DEBIAN13-XRDP-15123462
This issue appears specific to Whonix 18 and likely affects Kicksecure 18 as well.
Current state (Whonix 18)
Remote administration via VNC or Spice is broken because SSH tunnels cannot be established.
We can connect by opening a port for VNC/Spice this is dangerous we need the safety a SSH tunnel brings.
Notes
See the linked Snyk report for details on the xrdp vulnerability.
Patrick after 24 hours of testing multiple OS images on the VPS, I am certain this is a Kicksecure/Whonix 18-specific issue and not related to the config files.
When attempting to create an SSH tunnel (ssh -L 5901:localhost:5901 myuser@) I consistently get: 22: getaddrinfo: fatal error: Bad value for ai_flags This occurs only with Kicksecure/Whonix 18; the same command succeeds from a vanilla Debian 13 instance and from other base VPS images.
This is not a configuration or Debian issue it is specific to Kicksecure. Please advise on root cause and recommended mitigation. I tried changing all relevant config options.
I have the same problem. I agree its probably because of the kicksecure hardening, or some other ssh hardened config.
I removed `/etc/ssh/ssh_config.d/30_security-misc.conf` in a standalone workstation for testing and rebooted, unfortunately it didn’t solve the problem, it must be some other config file.
@WhonixPink did you make any progress? if so please post your updates to the thread.
I really need to port forward with ssh on whonix ws…