(best) Split SSH setup guide

The guide does not work on 4.1.
Tests with original Marmarek 4.1. Alpha iso from last year and today clean install with latest 4.1. Alpha weekly iso and it just will not work.
Tests were done with a clone from a clean fedora-33 Template (ssh-client & vault-ssh AppVms) which comes with installed libnotify.
Without or with mate-notification-daemon no dice.
Test were done with Stable dom0 and current-testing update and reboot.

Would love to help pinpoint the problem but not sure where to look.

After taking a break from 4.1 testing i did find what the split-ssh guide on github is missing.
The vault vm template /etc/qubes-rpc/qubes.SshaAgent file needs to be made executable,
chmod +x /etc/qubes-rpc/qubes.SshAgent

I guess you’ve a typo here

For the record, this chat has result in this how-to wiki:


Yup. I had also linked it back in a previous post. But it’s a good reminder :slight_smile:

I’ve also edited the original post to include a link to that document.

Could you label it as solution.

1 Like

Yes, I have now moved it out of the “guides” category (since the discussion itself is not the guide) and have marked that as the solution.

1 Like

Made a new clean install of 4.1 rc1 restored my AppVMs and templates and noticed that i wasn’t able to get ssh split to work after creating the dom0 policy file.
Turns out i had to press ENTER after ssh-client vault ask and create a new line for it to work, might want to add this into the howto section about dom0 /etc/qubes-rpc/policy/qubes.SshAgent

1 Like

As far as I am aware, nothing about this guide is Qubes-4.1-ready (yet) and it’s awesome to hear from you that it is working (almost) flawlessly. For me personally, Qubes 4.1 is currently not working on my private device and therefore, I can’t test it.
I expect that the guide requires a few updates once someone gets their hands on a Qubes 4.1 installation due to the new Qubes policy file format (Qubes Architecture Next Steps: The New Qrexec Policy System | Qubes OS).

Note that, as the linked article says, the old file format is still supported but should be considered legacy. So we should migrate to the new format in due time.

Follow the github guide, it works with 4.1 versions and read my previous post just above yours.

That was meant as an answer to your last post :slightly_smiling_face:.

I know the GitHub guide. In fact, I helped writing it :wink:.

That’s why I am happy that it more or less worked for you. As far as I know, and I haven’t heard anything else from @whoami and @santorihelix (the other main co-authors, not to forget @deeplow), this guide has not “officially” been tested on 4.1.
As I said, apparently most of it can be migrated but I consider a legacy policy file format to be an intermediate solution at best. The ultimate goal should be to adapt the guide to the new policy file format for Qubes 4.1.

I didn’t dive into it at all so far, so maybe there is not much to do for us.

1 Like

my bad haha, just saw the email text and thought you had trouble, thanks for the Guide (;

I am still here :wave: but I didn’t update to 4.1, I will wait for the final release. Currently, there is too much other work to do and I need a working system. Sorry.

@mono thanks for the fix.

In case someone has the same (stupid) problem like me… If you’re using another Shell then Bash, ~/.bashrc probably is the wrong file. :wink:

I’m using ohmyzsh in my coding qube and it to me some time to see my mistake. The guide itself works fine. Thanks for that.

Updated from fedora 36 templates to fedora 38 for my ssh qube and run into this odd new behavior which probably has an easy solution if i only knew where to look.

First, split-ssh “works as expected” but after pressing enter on the pop up window my ssh window is out of focus and needs either alt tab or mouse click to get back to focus.
This can get annoying pretty fast. Anyone else experience this?

EDIT: To fix this behavior go to Q > System Tools > Window Manager > Focus > and uncheck Automatically give Focus to newly created windows.

Must have snug in with one of the recent updates.

1 Like

I’m trying to setup Split SSH for git on a fresh installation of Qubes OS 4.2, but having trouble getting it to work. Like @haaber in #19443 and @mono in comment #38 of this topic, when executing ssh-add -L in the ssh-client VM I click the accept button in the dom0 Operation execution popup for qubes.SshAgent, but the ssh-client VM console prints error fetching identities: communication with agent failed regardless. Both the vault and the ssh-client VMs share the same fedora-38-xfce template that was installed when I installed the OS. First I followed the Split SSH setup guide and then tried virtually any combination of:

  1. Plain setup vs. KeePassXC
  2. @anyvm vs. real VM names in dom0 /etc/qubes-rpc/policy/qubes.SshAgent
  3. ask vs. ask,default_target=vault-VM-name in dom0 /etc/qubes-rpc/policy/qubes.SshAgent
  4. socat vs. ncat in TemplateVM /etc/qubes-rpc/qubes.SshAgent and ssh-client VM /rw/config/rc.local
  5. Trailing newline (comment #48 of this thread) in dom0 /etc/qubes-rpc/policy/qubes.SshAgent
  6. & character before or after the " character in ssh-client VM /rw/config/rc.local
  7. Renaming SSH_AUTH_SOCKET to SSH_SOCKET (to mirror the variable names used in other parts of the guide) in TemplateVM /etc/qubes-rpc/qubes.SshAgent and ssh-client VM ~/.bashrc

I suspect that I’m missing something, so I would like to know if someone got Split SSH working on Qubes OS 4.2.

The next issue is that git push seems to invoke gnome-ssh-askpass on fedora-38-xfce. I don’t know much about distros, but is gnome in xfce supposed to happen?

$ git push

error: unable to read askpass response from '/usr/libexec/openssh/gnome-ssh-askpass'

Username for 'https://...': <empty>

error: unable to read askpass response from '/usr/libexec/openssh/gnome-ssh-askpass'

Password for 'https://...': <empty>

remote: No anonymous write access.
fatal: Authentication failed.

Sorry for not linking to the topics and comments, new forum users are only allowed to post 2 links per post.

it worked for me on the reinstall a few weeks ago, did you try to press enter at the end of line in the dom0 policy file you created?
With the newline it suddenly worked for me when i encountered the problem, posted that above back then.

Thanks for the quick reply - yes, that is what I meant in step 5 of my previous post. But if it works for you, then it’s not the OS stopping me, but me doing something wrong. I’ll try to come up with more things to test.