New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You're screwing with the name recognition though man.
I catch up on the posts here and by the time I hit next thread I've already forgotten all the names and only remember thanks thanks thanks and then https://en.wikipedia.org/wiki/Semantic_satiation and I don't even know what's going on anymore!
Thanks everybody!
edit: ok I solved it for myself with quick userscript to replace thanks whew.
I thought you would password-protect VNC access (and was wondering how you would then manage those passwords), but then got confused when you said no password needed.
Ah yes, I guess that works, but it would give me a somewhat uneasy feeling having to always remember that the security depends on no unprivileged user ever being allowed to open random TCP connections.
The goal was to find a simple, secure, and open source method of enabling VPS users to install their own choice of OS plus also start, stop, reboot, and reinstall their VPS.
How could we do it better? While keeping simplicity, security, and open source?
Thanks again for your help!
Always appreciated! 
I am not exactly sure what you mean. UserX who owns vmX on portX is the only one that can connect to that port. UserY who owns vmY on portY is in the same boat. They aren't random TCP connections, everything is configured and locked down accordingly. Maybe there is some confusion because the match user part was left off above.
Had we done this it would be as you describe:
But I made certain that we didn't do it that way as it was far too problematic for obvious reasons. Maybe I overlooked something and am not following what exactly you are saying is the problem.
As I said, I guess it works.
But the uneasy feeling remains. Usually, the idea of running different services as different users is that if you manage to break out of one service (by some kind of remote code execution, e.g., breaking out of your virtual machine by a buffer overflow in a virtio device), you are still severely restricted by what you can do, because you are still confined by that non-root user. But in the case of your set up, you then have the ability of getting console access to other users' VPSes on that system for free - which is more than what I would usually be comfortable with.
Like Not_Oles asked, what would you do instead?
I certainly agree that a layered security approach would be better. But unless sshd has a vulnerability (in which case you are already screwed from the hypervisor standpoint vs less important vms) I don't see how you can bypass or break out of this setup. If you can prove otherwise I'm certainly all ears and happy to learn something new. I can provide you with a target to compromise/exploit if you are game.
I was going to suggest generating random passwords that the user would get over the SSH connection, but it seems an easier way to achieve better user separation for VNC would be to use Unix domain sockets - both qemu and SSH already support those (just tried locally); so you just need to make sure that file permissions are set up correctly, so only the owner of the VPS can connect to the corresponding VNC Unix domain socket.
Don't you still end up using a ssh tunnel to be able to access the domain socket? Definitely an interesting solution but seems like a very comparable solution and maybe even a tad more work involved to manage it. So if you do still need to use ssh tunnels the attack surface is the same. It seems like it would work though, just not sure how much of an improvement.
It's moving from a localhost TCP port (that every process on that machine can connect to) to a Unix domain socket (that only processes with the same user id can connect to, assuming file system permissions are set up accordingly). That seems like an improvement to me.
Fair enough.
@cmeerw
I'm wondering whether it might be possible, if you have time, please, for you to post a hint about how to create a VPS using your idea of a Unix socket for ssh tunnel access to Node localhost VNC.
Previously, I posted what I have been doing to make VPSes without graphics.
Here is the @FrankCastle virt-install method used for the VNC enabled VPS that was paired with this per user ssh configuration.
I don't know if VNC is necessary for every FOSSVPS client, but there are a few who want to install additional excellent operating systems besides those that FOSSVPS offers pre-installed.
I don't know about virt-install, as I have never used it. With qemu, you can just use
-vnc unix:/home/user/vnc.socket, and with ssh you can dossh -L 5901:/home/user/vnc.socketto forward your local port 5901 to that Unix domain socket on the server.@cmeerw Thanks so much! More simple than I imagined. I will give it a try. Best wishes, and thanks again, as always, for helping so much!
Hi again!
I am very fond of netboot.xyz (running it at home for PXE booting and on the go in a Medicat setup) but from what I've read here that might not be a simple solution.
It's a niche thing you're doing and I guess maybe there will have to be some customization involved to get a good solution for OS selection.
I would appreciate if you could wipe my instance and install the latest stable Debian 12 when you've got time to spare
Hi @zejjnt!
Is https://cloud.debian.org/images/cloud/bookworm-backports/latest/debian-12-backports-genericcloud-amd64.qcow2 okay?
If you want something else, just post the link, please.
Best!
Tom
@zejjnt
@zejjnt Okay to proceed? I want you to have everything exactly right. Or as close to exactly right as we can get.
Thanks to @alexhost Alexhost for donating our nice server Node!
Absolutely, just flatten and reinstall
@zejjnt
Reinstalled to Debian 12!
You should be able to get in with your ssh key. Password login is not enabled. My ssh keys are present so I could test. Please feel free to remove them.
Please post here about your progress with your VPS. I look forward to hearing about what you are doing!
Thanks to Alexhost for the nice server node!
Best wishes!
Tom
Hey Tom,
Is it alright now? Can we get this?
Hello FOSSVPS team and generous providers, thank you for making this possible ❤️
I plan to run Technitium DNS Server in a non-commercial and private setup.
The VPS will be used to test DNS resolution, caching behavior, and DNS-based filtering from an Eastern Europe location.
The service will be configured safely:
I hope to contribute positively by:
All usage will remain white-hat, open source, and strictly non-commercial.
Alexhost – Chisinau, Moldova
This location is interesting for testing Eastern Europe DNS latency and comparing it with other regions.
NAT IPv4 is perfectly fine for my use case.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFX1Dud/kwUKjiR1d8m1Y9PKdwhCxXWnGKGijBlweTm hugo@fossvps
Thank you again to FOSSVPS and the providers for supporting open-source projects and the community.
Hi @hugo_sabdo this thread is old and @Not_Oles has passed FOSSVPS over to me and my team.
Head over to the link in my signature and you can complete the registration form.
Moldova is available (till 30th January 2026) but we have different locations to choose from.
Your profile on LET is not the best however your thorough description of what you wish to do gives you bonus points
Hi @msatt,
Just a quick update — I attempted to complete the registration form yesterday using my personal domain email (not Gmail). Unfortunately, the verification email arrived too late and the OTP had already expired.
When I tried again this morning, the system flagged it as a multiple registration attempt.
I just wanted to clarify that this was not intentional and was caused by the delayed verification email.
Please let me know if there is anything I should do next, or if I should simply wait.
Thank you for your understanding.
Thanks for letting us know, that is correct functionality, just FYI - checking logs,
You requested at 2025-12-22 10:00:20 and the verification email was sent 22/12/2025 10:00:22
So the delay looks like at your end.
At the moment your profile on LET is not high enough to qualify (I am sorry), we need to see a history. So feel free to re-apply when you have participated more in this forum and we will happily review your request again.
Wishing you well.
Mike
Thank you for kindly reward for developers who made open source softwares!