Split ssh backend behavior: debian vs fedora

Hi,
I have a split ssh configuration where I use some app VMs to connect to remote servers using SSH whose keys are managed by another vm called key-vault.

In order to reduce risk of private key exposure, I keep only the public portion of the key in the .ssh folder of the app VM. The configuration part of the app vm is

Host foo
  HostName foo
  User user
  IdentityFile /home/user/.ssh/id_ed25519_app1
  AddKeysToAgent yes
  PreferredAuthentications publickey,password

Given that the configuration states the file id_ed25519_app1, that file resides in the key vault only. The app vm has id_ed25519_app1.pub instead. Without the public part, split ssh did not work in my setup.

The policy for SshAgent and initializations at the AppVM are done.
In the working configuration. the key vault template is Fedora.

Whenever I invoke ssh user@foo within the appVM, a pop-up appears to query the key vault, upon permission to use the key, the login is commenced by using the key, without me having to put the private key on the app vm. This is the workflow I have used happily for months.

However, when I change the template of key-vault to debian, this sequence breaks. I get the popup but cannot see the key, and the appvm complains that the key is not present.
no such identity: /home/user/.ssh/id_ed25519_app1.

But the key is on the key vault and is registered by its ssh agent (ssh-add -L on the key vault lists the keys).
Both templates /etc/ssh configs are identical, except for the crypto policy addition on the fedora.

Is anyone using a similar setup with a debian key-vault? How would you fix this error?

Thanks

Did you use this guide?

Did you configure the Debian template according to the guide as well (Install the required package, create an RPC file)?

1 Like

Thanks for sharing the guide. It’s very clear and instructive.
And yes, it helped solve my issue.