Help with unman qubes-ssh-agent

User Support General
1

Installed GitHub - unman/qubes-ssh-agent manually.
Sadly the readme seems to be outdated and some instructions are unclear.

Moved the repo to dom0 under /srv/salt.
Did: sudo qubesctl state.apply qubes-ssh-agent.create
Then: sudo qubesctl --skip-dom0 --targets=template-ssh-agent state.apply qubes-ssh-agent.configure_template
Then: sudo qubesctl --skip-dom0 --targets=sys-ssh-agent state.apply qubes-ssh-agent.configure

This is the policy under /etc/qubes/policy.d/50-config-splitssh.policy

qubes.SshAgent  +work  @anyvm  @anyvm ask default_target=sys-ssh-agent
qubes.SshAgent  +test  @anyvm  @anyvm ask default_target=sys-ssh-agent
qubes.SshAgent  *      @anyvm  @anyvm deny

So I created a passwordless sshkey moved it to sys-ssh-agent under ~/keys and created a new “test.service” with the “Configure-new-ssh-agent.sh” script.

If I do ssh-add -L in the “test” VM I get prompet for confirmation and the output The agent has no identities.

How can I sign a message like this help | ssh-keygen -Y sign -n gitea
How can I specify the ssh key I want to access like for accessing a git server or signing commits? git config --global user.signingKey

If I understand correctly the ~/.ssh/config should be in the sys-ssh-agent and thats how you can easily ssh into other servers? But what about the above ?

Can’t figure it out pls send help.

1 Like
2

Adding something like ssh-add keys/work/id_rsa to the “test-agent.sh” in the home dir does make ssh-add -L output the pub key in the test vm. It’s kind still unclear how I should proceed.

So do I really have to launch the correspoding *-agent.sh If I want to access the specific key?

1 Like
3

git does work now if you set git config --global user.signingKey to the pub key

1 Like
4

yeah solved. Copy the pub key to the vm and specify that as the used key in the configs. Everything works now

3 Likes