Split SSH with Password Does Non Persist Reboots

I’ve setup some SSH-Vaults and AppVMs which use those ssh-keys for Split SSH, consistent with this guide (and may others out there).

I actually have 2 SSH-Vaults, one for work where my SSH key also has a password, and another for personal use where my SSH key does not have a password.

I’ve used ssh-add to add the keys to the agent in each vault, and verified access using ssh-add -L. After rebooting each vault, the password-protected key does not persist, so I have to use ssh-add again in the vault, while the non-password-protected key does persist.

The vaults are running Fedora30.

Is there some trick or script updates I must use to make the password-protected-key persist through reboots?

There is a very recent guide made by a few folks here on the forum. I’d suggest you give that one a shot. The one you mentioned is 4 years old.

Here it is:

In these cases, always look first at the documentation the Qubes website. It pointed to this one I mentioned under “Split SSH”.

The one I mentioned is 4 years old, but the one you mentioned is less than 4 months old. It’s a very tall order to expect users to stay apprised of updates to all guides that might affect a user with that kind of timeliness. Anyway, the recent guide you reference is exactly the same implementation as the 4 year old guide, with the exception of using socat instead of netcat, but with one important addition:

it makes it clear that whether using ssh-askpass or KeePassXC to store SSH passwords, each method requires re-entering some password (either the SSH password for ssh-askpass, or KeePassXC db password) upon reboots of the vault.

Still though, thanks for the reference!

1 Like

Yup. I feel that. The external documentation part on the Qubes website is the go-to index for this sort of stuff (Documentation | Qubes OS). The community documentation should be in sync with that.