SSH Split setup
About SSH-split
The SSH-split configuration is especially interesting for IT professional like developers, devops and system administrators but, more in general, for anyone who has a remote server to manage via ssh.
It works the same way as GPG-split: vault is the provider of the ssh-keys for other qubes which don’t host the ssh-keys on their hard drive resulting in additional protection against malware and unauthorized access.
Tomb file for ssh
I follow the standard procedure to create a tomb file (20MB) in vault to host the keys of my ~/.ssh directory:
IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="ssh"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=20
don’t change
${TOMBID}orrisksandrisqwill not work as expected
From now on I can open or close the ssh tomb-file with :
risks open ssh ${IDENTITY}
risks close ssh ${IDENTITY}
If I have already some ssh keys for ${IDENTITY} then I copy them inside the tomb:
risks open ssh ${IDENTITY}
cp <my-old-keys-directory>/* ${HOME}/.ssh
Otherwise I create a new pair:
risks open ssh ${IDENTITY}
ssh-keygen
The interactive shell opens and I hit enter 3 times, accepting the defaults.
I check that the new keys have been created:
ll ~/.ssh/
total 3
-rw------- 1 user user 1679 Jan 15 20:38 id_rsa
-rw-r--r-- 1 user user 394 Jan 15 20:38 id_rsa.pub
In both the cases I make the keys immutable:
sudo chatt +i ~/.ssh/id_rsa.*
risks close ssh ${IDENTITY}
Setup Qubes for SSH split
This configuration grants joe-devq to use the SSH configuration present in vault without storing the ssh-files.
dom0 configuration
In dom0 terminal:
sudo sh -c 'echo "$anyvm $anyvm ask" > /etc/qubes-rpc/policy/qubes.SshAgent'
Eventually I can trust joe-devq to access vault ssh-agent without confirmation prompt.
sudo sh -c 'echo "joe-devq vault allow" > /etc/qubes-rpc/policy/qubes.SshAgent'
sudo sh -c 'echo "$anyvm $anyvm ask" >> /etc/qubes-rpc/policy/qubes.SshAgent'
The qubes.SshAgent file becomes then something like this:
joe-devq vault allow
$anyvm $anyvm ask
vault configuration
vault needs just a couple of packages and to have ssh-add started at boot.
sudo apt update
sudo apt install nmap ssh-askpass
mkdir ~/.config/autostart
echo '
[Desktop Entry]
Name=ssh-add
Exec=ssh-add
Type=Application
' > ${HOME}/.config/autostart/ssh-add.desktop
template configuration
I turn off joe-devq, start debian-10-dev and from its terminal:
sudo apt update
sudo apt install nmap
sudo shutdown -P 0
joe-devq configuration
I turn on joe-devq and from its terminal I add these lines to /rw/config/rc.local:
SSH_VAULT_VM="vault"
export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
rm -f "$SSH_SOCK"
sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '$SSH_SOCK' -c 'qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent' &"
Then I add this to ${HOME}/.bashrc
SSH_VAULT_VM="vault"
export SSH_AUTH_SOCK=${HOME}/.SSH_AGENT_$SSH_VAULT_VM
Test
- I stop vault
- I stop joe-devq
- I open a dom0 terminal
- I start vault and open a terminal
- I start joe-devq and open a terminal
- I attach the hush partition to vault
From a dom0 terminal:
qvm-shutdown _vault_ && qvm-run _vault_ gnome-terminal
qvm-shutdown _joe-devq_ && qvm-run _joe-devq_ gnome-terminal
attach_hush_to vault
From vault terminal:
risks mount sdcard
IDENTITY="joe"
risks open ssh ${IDENTITY}
ssh-add -L
The output is something like:
ssh-rsa AAAAF3Pza01yc2EAAAADAQA3AAA3AQDPrqi5HAv6NLg+WJVjS14nGTpx+Jr/si/O0RYSMs21ran0K1xYAZ+h0sVrtUkt+JJHr3E38GHm6Dpah4err0by4uPfk+x3e15ZfZy4RsxttUXbkYmsto3byulUfOyN0dOYSL+jHt7i4qdvUNffTiqL0s/eaDb5q20ytg8g35WEhxchSa3y9PYRSPQ35dqjJU35DhON0yc9H36uhT4d0JtOjhpDL79JH3oi8+c0t4h+p1G3RvwLPnwkH
From joe-devq terminal:
ssh-add -L
The usual Qubes OS prompt-window pops up and I select vault.
Then, in joe-devq terminal, I should see the exact same output displayed in vault. This proves that everything is working as expected.
I can now try to access any SSH remote server from joe-devq with:
ssh ${user}@${server_ip}