Can't enable SSH access: "Running SSH server is not permitted" #1271

Closed
opened 2025-11-20 05:27:15 -05:00 by saavagebueno · 10 comments
Owner

Originally created by @florian-obradovic on GitHub (Sep 23, 2024).

Describe the problem

I tried to enable SSH Access for a few of my peers (Linux & macOS) but it doesn't work

To Reproduce

  1. Enable SSH Access for a peer in dashboard
  2. client.log on the peer shows: WARN client/internal/engine.go:554: running SSH server is not permitted
  3. try to connect connect:
Error: dial tcp 100.102.98.127:44338: i/o timeout
Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer

Expected behavior

  • Enable SSH access

Are you using NetBird Cloud?
Self hosted!

NetBird version
0.29.3

NetBird status -dA output:

OS: linux/amd64
Daemon version: 0.29.3
CLI version: 0.29.3
Management: Connected to https://netbird.anon-ZsVFN.domain:33073
Signal: Connected to http://netbird.anon-ZsVFN.domain:10000
Relays:
[stun:netbird.anon-ZsVFN.domain:3478] is Available
[turn:netbird.anon-ZsVFN.domain:3478?transport=udp] is Available
Nameservers:
FQDN: anon-poKed.domain
NetBird IP: 100.102.98.127/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 5/11 Connected

Screenshots
CleanShot 2024-09-23 at 13 54 03@2x

Originally created by @florian-obradovic on GitHub (Sep 23, 2024). **Describe the problem** I tried to enable SSH Access for a few of my peers (Linux & macOS) but it doesn't work **To Reproduce** 1. Enable SSH Access for a peer in dashboard 2. client.log on the peer shows: **WARN client/internal/engine.go:554: running SSH server is not permitted** 3. try to connect connect: ``` Error: dial tcp 100.102.98.127:44338: i/o timeout Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer ``` **Expected behavior** - Enable SSH access **Are you using NetBird Cloud?** Self hosted! **NetBird version** `0.29.3` **NetBird status -dA output:** OS: linux/amd64 Daemon version: 0.29.3 CLI version: 0.29.3 Management: Connected to https://netbird.anon-ZsVFN.domain:33073 Signal: Connected to http://netbird.anon-ZsVFN.domain:10000 Relays: [stun:netbird.anon-ZsVFN.domain:3478] is Available [turn:netbird.anon-ZsVFN.domain:3478?transport=udp] is Available Nameservers: FQDN: anon-poKed.domain NetBird IP: 100.102.98.127/16 Interface type: Kernel Quantum resistance: false Routes: - Peers count: 5/11 Connected **Screenshots** ![CleanShot 2024-09-23 at 13 54 03@2x](https://github.com/user-attachments/assets/5ea6c9ab-60d7-4b5a-baab-4710a63c5ab8)
saavagebueno added the clientwaiting-feedbacksshmissing-docs labels 2025-11-20 05:27:15 -05:00
Author
Owner

@mlsmaycon commented on GitHub (Sep 23, 2024):

Hi @florian-obradovic, you need to run this on the client:

netbird down
netbird up --allow-server-ssh

We will update our docs since this information is missing.

@mlsmaycon commented on GitHub (Sep 23, 2024): Hi @florian-obradovic, you need to run this on the client: ```shell netbird down netbird up --allow-server-ssh ``` We will update our docs since this information is missing.
Author
Owner

@sirvar commented on GitHub (Sep 25, 2024):

@mlsmaycon has this been updated in the docker image as well?

@sirvar commented on GitHub (Sep 25, 2024): @mlsmaycon has this been updated in the docker image as well?
Author
Owner

@mlsmaycon commented on GitHub (Sep 25, 2024):

allow-server-ssh

Yes its been @sirvar. For docker you need the following environment variable:

NB_ALLOW_SERVER_SSH=true
@mlsmaycon commented on GitHub (Sep 25, 2024): > ```shell > allow-server-ssh > ``` Yes its been @sirvar. For docker you need the following environment variable: ``` NB_ALLOW_SERVER_SSH=true ```
Author
Owner

@florian-obradovic commented on GitHub (Sep 25, 2024):

Thanks for heads up @mlsmaycon

We should add a note to the documentation, that you also need an ACL which allows tcp port 44338 access.
2024-09-25T23:20:12+02:00 INFO client/ssh/server.go:248: starting SSH server on addr: 100.102.98.127:44338

@florian-obradovic commented on GitHub (Sep 25, 2024): Thanks for heads up @mlsmaycon We should add a note to the documentation, that you also need an ACL which allows tcp port 44338 access. `2024-09-25T23:20:12+02:00 INFO client/ssh/server.go:248: starting SSH server on addr: 100.102.98.127:44338`
Author
Owner

@creeram commented on GitHub (Jan 2, 2025):

@mlsmaycon Why is the allow ssh from the dashboard not working? it works only when enabled from cli.

@creeram commented on GitHub (Jan 2, 2025): @mlsmaycon Why is the allow ssh from the dashboard not working? it works only when enabled from cli.
Author
Owner

@lixmal commented on GitHub (Jan 2, 2025):

@creeram It's a security feature

@florian-obradovic the rule is not required in 0.35+

@lixmal commented on GitHub (Jan 2, 2025): @creeram It's a security feature @florian-obradovic the rule is not required in 0.35+
Author
Owner

@creeram commented on GitHub (Jan 2, 2025):

@lixmal security feature? If it's not possible to allow ssh from the dashboard why do we have that option?

SSH allows root user login by default. Is there an option to map users to their logged-in Net Bird user so that they are not allowed to log in as other users? (the users will be manually created on those servers.)

@creeram commented on GitHub (Jan 2, 2025): @lixmal security feature? If it's not possible to allow ssh from the dashboard why do we have that option? SSH allows root user login by default. Is there an option to map users to their logged-in Net Bird user so that they are not allowed to log in as other users? (the users will be manually created on those servers.)
Author
Owner

@jakob1379 commented on GitHub (Jan 16, 2025):

for me the issue was that my netbird config is not at the default location, but for some reason the location is not pulled from the daemon.

This means I have to do

sudo netbird -c path/to/config ssh my-remote
# or alternatively
export NETBIRD_CONFIG=path/to/config
sudo -E netbird ssh my-remote
@jakob1379 commented on GitHub (Jan 16, 2025): for me the issue was that my netbird config is not at the default location, but for some reason the location is not pulled from the daemon. This means I have to do ```bash sudo netbird -c path/to/config ssh my-remote # or alternatively export NETBIRD_CONFIG=path/to/config sudo -E netbird ssh my-remote ```
Author
Owner

@nazarewk commented on GitHub (Apr 28, 2025):

Hello @florian-obradovic,

We're currently reviewing our open issues and would like to verify if this problem still exists in the latest NetBird version.

Could you please confirm if the issue is still there?

We may close this issue temporarily if we don't hear back from you within 2 weeks, but feel free to reopen it with updated information.

Thanks for your contribution to improving the project!

@nazarewk commented on GitHub (Apr 28, 2025): Hello @florian-obradovic, We're currently reviewing our open issues and would like to verify if this problem still exists in the [latest NetBird version](https://github.com/netbirdio/netbird/releases). Could you please confirm if the issue is still there? We may close this issue temporarily if we don't hear back from you within **2 weeks**, but feel free to reopen it with updated information. Thanks for your contribution to improving the project!
Author
Owner

@mlsmaycon commented on GitHub (Jun 1, 2025):

closing issue due to no recent feedback. Feel free to open a new one if the issue persist or reopen if this was a feature request.

@mlsmaycon commented on GitHub (Jun 1, 2025): closing issue due to no recent feedback. Feel free to open a new one if the issue persist or reopen if this was a feature request.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1271