I tinkered around a bit.
When creating disposable ssh vaults and ssh clients and giving them the tag “ssh-client” and “ssh-vault”, i can only set:
- allow all sshAgent connections from all qubes with the tag “ssh-client” to “ssh-vault” without asking
or - Ask every time but the user has to insert the correct ssh-vault name
Option 1 is good for usability. It just works. It is however insecure, as one has to pay attention to the notifications permanently to detect and interrupt any brute force attempts.
Option 2 is good for security. Every access to keys requires additional user interaction, which is fine for me. What is not fine, is that i have to enter a randomized ssh-vault name as a target.
Is anybody aware of a solution for this? I would like to simply “say yes or no” to a request without the need of filling in the target.
Another solution would be to create allow policies for more tags than the host can reasonably virtualize. That way i would create my client-vault pairs with matching tags, for example:
ssh-client-123456 and ssh-vault-654321 with tag “ssh-pair-1”
ssh-client-000000 and ssh-vault-1111111 with tag “ssh-pair-2”
and allow access between them without conformation. This would then need my admin qube to keep track of used pairs to not double spend them. Not too much of a problem for me, but added complexity nevertheless.
I am just wondering if this is worth the hassle, as an adversary with the ability to execute code on a qube that holds a private key could only extract the one private key to the server he has already pwned to get in that position in the first place, so effectively nothing of value is lost in my simple “copy the private key onto the ssh client” approach as far as i can see.