Trying to test my Split SSH configuration and I am getting the message: “Denied qubes.SshAgent from ssh-client-test to vault-test”
I have this in my /etc/qubes/policy.d/50-ssh.policy file
qubes.SshAgent * ssh-client-test vault-test ask target=vault-test
Not sure why this is happening since I think I’ve followed all the steps as per the setting up the VM guide here
I found this topic on the forum from the mailing list but I can’t see what the solution could have been.
Do you see the prompt to allow the operation like this:
https://forum.qubes-os.org/uploads/db3820/original/1X/37e62ebb62482d83d878e3481161c72f22ec801c.png
And you’re getting the denied message after pressing OK in this window?
Or are you getting the denied message without a prompt?
Getting a denied message without a prompt. Thanks for asking that. Let me see whether I missed anything in relation to that.
Maybe you have a typo in policy.
Yes that was it. I had created the file as /etc/qubes/policy.d/50-ssh-policy not /etc/qubes/policy.d/50-ssh.policy (- vs .)
Now I see the prompt and when I enter the vault VM’s name (vault-test) and click OK, I get the error error fetching identities: communication with agent failed.
The guide says to check the VM interconnection setup but I am not sure what to check.
For what it is worth, I am testing with a key that has a passphrase. Could that be causing the behaviour?
Was Testing the KeePassXC Setup step successful?
That’s what I seem to be struggling with. I am not using KeePassXC; I’m using the Built-in Password Utility and ssh-askpass
I tried to go through the steps and I run into this issue after restarting the vault-test VM as:
$ cat /etc/qubes-rpc/qubes.SshAgent
cat: /etc/qubes-rpc/qubes.SshAgent: No such file or directory
Yet I remember creating it as part of the setup as shown by my command history:
$ history | grep Ssh
43 sudo vim /etc/qubes-rpc/qubes.SshAgent
44 sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
53 sudo vim /etc/qubes-rpc/qubes.SshAgent
54 sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
55 cat /etc/qubes-rpc/qubes.SshAgent
63 cat /etc/qubes-rpc/qubes.SshAgent
88 sudo vim /etc/qubes-rpc/qubes.SshAgent
90 sudo vim /etc/qubes-rpc/qubes.SshAgent
91 cat /etc/qubes-rpc/qubes.SshAgent
92 sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
93 cat /etc/qubes-rpc/qubes.SshAgent
94 history | grep Ssh
The point at which you’re supposed to restart the vault VM is documented here
In the Template of Your AppVM
vault:
I thought we were to do everything in app qubes?
Anyway, my bad for reading my own version of the instructions 
Let me redo everything accordingly. Thanks.
Recap:
First issue was a typo as pointed out here and was fixed accordingly in this post
Second issue was a misunderstanding of how I read the guide as pointed out here. I had assumed that all config would be done in the qube but in this case not. As the title of this section says “In the Template of Your AppVM vault”
Third issue was that the section on securing your private key overrides the advice in Test Your Configuration
From the former:
With this configuration you’ll be prompted for entering your password every time you start your vault VM to be able to make use of your SSH key.
From the latter:
- If you’re using KeePassXC, shutdown KeePassXC on your vault VM. If not, make sure your private key is not added to the ssh-agent in your vault VM (Check with
ssh-add -L). If it is, restart your vault VM and do not enter your password when it asks you to.
For my case, since I wasn’t using KeePassXC, entering the password when the vault VM starts up allowed the configuration test to pass.