I am trying to setup Split SSH using the community guide here
I have two vaults, vault-1 and vault-2. I would like do something like this in my SSH policy file:
qubes.SshAgent * ssh-client vault-1,vault-2 ask target=vault-1
The idea being that the ssh-client VM can access both vault VMs and I can select the vault VM to use when calling SSH (for lack of a better description)
You can try to create the separate policies like this:
qubes.SshAgent * ssh-client vault-1 ask target=vault-1
qubes.SshAgent * ssh-client vault-2 ask target=vault-1
Or use qvm-tags command to add tag to vault-1 and vault-2:
qvm-tags add vault-1 SshAgent_ssh-client
qvm-tags add vault-2 SshAgent_ssh-client
https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-tags.html
And then use this tag as destination in policy:
qubes.SshAgent * ssh-client @tag:SshAgent_ssh-client ask target=vault-1
Thanks. You’ve helped me confirm if I could have multiple lines in the policy.
I will opt for that for now. If I get more vaults, I may switch to using tags