Not able to connect to vault from ssh-client VM after setting up Split SSH

Trying to test my Split SSH configuration and I am getting the message: “Denied qubes.SshAgent from ssh-client-test to vault-test”

I have this in my /etc/qubes/policy.d/50-ssh.policy file

qubes.SshAgent * ssh-client-test vault-test ask target=vault-test

Not sure why this is happening since I think I’ve followed all the steps as per the setting up the VM guide here

I found this topic on the forum from the mailing list but I can’t see what the solution could have been.

Do you see the prompt to allow the operation like this:
And you’re getting the denied message after pressing OK in this window?
Or are you getting the denied message without a prompt?

Getting a denied message without a prompt. Thanks for asking that. Let me see whether I missed anything in relation to that.

Maybe you have a typo in policy.

1 Like

Yes that was it. I had created the file as /etc/qubes/policy.d/50-ssh-policy not /etc/qubes/policy.d/50-ssh.policy (- vs .)

Now I see the prompt and when I enter the vault VM’s name (vault-test) and click OK, I get the error error fetching identities: communication with agent failed.

The guide says to check the VM interconnection setup but I am not sure what to check.

For what it is worth, I am testing with a key that has a passphrase. Could that be causing the behaviour?

Was Testing the KeePassXC Setup step successful?

That’s what I seem to be struggling with. I am not using KeePassXC; I’m using the Built-in Password Utility and ssh-askpass

I tried to go through the steps and I run into this issue after restarting the vault-test VM as:

$ cat /etc/qubes-rpc/qubes.SshAgent
cat: /etc/qubes-rpc/qubes.SshAgent: No such file or directory

Yet I remember creating it as part of the setup as shown by my command history:

$ history | grep Ssh
   43  sudo vim /etc/qubes-rpc/qubes.SshAgent
   44  sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
   53  sudo vim /etc/qubes-rpc/qubes.SshAgent
   54  sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
   55  cat /etc/qubes-rpc/qubes.SshAgent
   63  cat /etc/qubes-rpc/qubes.SshAgent
   88  sudo vim /etc/qubes-rpc/qubes.SshAgent
   90  sudo vim /etc/qubes-rpc/qubes.SshAgent
   91  cat /etc/qubes-rpc/qubes.SshAgent
   92  sudo chmod +x /etc/qubes-rpc/qubes.SshAgent 
   93  cat /etc/qubes-rpc/qubes.SshAgent
   94  history | grep Ssh

The point at which you’re supposed to restart the vault VM is documented here

In the Template of Your AppVM vault:

I thought we were to do everything in app qubes?
Anyway, my bad for reading my own version of the instructions :see_no_evil:
Let me redo everything accordingly. Thanks.


First issue was a typo as pointed out here and was fixed accordingly in this post

Second issue was a misunderstanding of how I read the guide as pointed out here. I had assumed that all config would be done in the qube but in this case not. As the title of this section says “In the Template of Your AppVM vault

Third issue was that the section on securing your private key overrides the advice in Test Your Configuration

From the former:

With this configuration you’ll be prompted for entering your password every time you start your vault VM to be able to make use of your SSH key.

From the latter:

  1. If you’re using KeePassXC, shutdown KeePassXC on your vault VM. If not, make sure your private key is not added to the ssh-agent in your vault VM (Check with ssh-add -L). If it is, restart your vault VM and do not enter your password when it asks you to.

For my case, since I wasn’t using KeePassXC, entering the password when the vault VM starts up allowed the configuration test to pass.