option to use standard `ssh` client to connect to the peer's netbird ssh server

[micmejia]

Is your feature request related to a problem? Please describe. As expected, I can ssh to another peer via sudo netbird ssh <peer>.netbird.cloud

Describe the solution you'd like But is it possible to connect to the same peer using standard ssh client? e.g. sudo ssh -p 44338 <peer>.netbird.cloud Can I possibly extract the auto-generated key by netbird and feed it to the ssh command, -i option? If yes, where is it located.

I tried using the SSHKey in /etc/netbird/config.json by pasting it to a mykey file, but getting an error: sudo ssh -p 44338 -i ./mykey -vv <peer>.netbird.cloud

the key seems too short anyway

debug1: Will attempt key: ./mykey  explicit
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss>
debug1: kex_input_ext_info: [email protected] (unrecognised)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ./mykey
Load key "./mykey": invalid format
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
mic13@<peer>.netbird.cloud: Permission denied (publickey).

Additional context The intention is to use pyinfra's ssh connector without having to install a separate sshd on the peer:

pyinfra @ssh/<peer>.netbird.cloud configure_peer.py

pyinfra can accept ssh keys, etc:

  --ssh-user, --user TEXT         SSH user to connect as.
  --ssh-port, --port INTEGER      SSH port to connect to.
  --ssh-key, --key PATH           SSH Private key filename.
  --ssh-key-password, --key-password TEXT
                                  SSH Private key password.
  --ssh-password, --password TEXT

[DevOpsMage]

I would greatly appreciate the addition of this feature. The inability to use the default SSH client significantly limits the ways we can interact with the service. As a result, tools like PuTTY, WinSCP, and others are currently incompatible with the existing implementation.

[deadbeef84]

The SSHKey field is an Ed25519 private key in PKCS#8 PEM format. It needs to be converted into a format openssh understands, here's one way to do it (reference):

sudo cat /etc/netbird/config.json | jq -r .SSHKey | npx --package=sshpk -- sshpk-conv -t ssh -p > ~/.ssh/netbird.pem

Then I added the following to ~/.ssh/config:

Host *.netbird.selfhosted
        User root
        Port 44338
        IdentityFile ~/.ssh/netbird.pem

Now ssh my-server.netbird.selfhosted works!

[DevOpsMage]

@deadbeef84 that is very interesting. I never thought to try that! I will give it a try when I get back to work after the Holiday. If it is as straight forward as modifying the format of the keys and copying them over. I will look at how the --ssh option works during its init and see if it's something that can be added.

[micmejia]

@deadbeef84 that is very interesting. I never thought to try that! I will give it a try when I get back to work after the Holiday. If it is as straight forward as modifying the format of the keys and copying them over. I will look at how the --ssh option works during its init and see if it's something that can be added.

+1 . Looking forward to this. Thanks!

[yakaviuk]

Do I understand correctly, than enabling "SSH Access" for host in Netbird management panel does not provide option to connect to the host just using "ssh [email protected]"?

In management panel I set "Allow all (TCP, UDP, ICMP)" for network rules, but I can't connect via SSH and VNC (port 5900) between peers. (ICMP also doesn't work) Is it expected?

Sorry if there is not the proper topic, but in my specific case I really need both (SSH and VNC).

Thanks in advance.

[deadbeef84]

Do I understand correctly, than enabling "SSH Access" for host in Netbird management panel does not provide option to connect to the host just using "ssh [email protected]"?

That is correct, it will start an SSH server on port 44338 that requires a key to authenticate. You can use netbird ssh myhost to connect to it, but using any other ssh client will require setting up these connection parameters manually.

[johnnypea]

So what would be required to make it work like https://tailscale.com/kb/1193/tailscale-ssh without any manual step?

@DevOpsMage have you found any practical solution to this? Thanks.

[Codelica]

FWIW, this is one of a couple items that has us leaning toward Tailscale/Headscale for our company (admittedly with an SSH heavy use case). While we might be able to swallow key conversion and manual ssh configuration to smooth out desktops/laptops, it still leaves the question of mobile phone/tablet access. I like a lot of what I see with NetBird, but this is a rough edge IMO. A keyless approach overriding the standard port just has a lot less friction.

[deadbeef84]

It should probably also be mentioned that the built-in SSH server only supports PTY, i.e terminal mode, so trying to run a command directly will fail. Port forwarding is also not supported.

For us this means using the netbird built-in ssh server is currently not an option.