Split-ssh with whonix as client & debian-minimal as vault

split-ssh setup

end result will yield
client: whonix-workstation - dispsvm
vault: debian-12-minimal - appvm
starting client vm will automatically prompt for vault vm
choosing the vault cm will automatically start vault vm and prompt for password

before you start

update or install & update debian-12-minimal & whonix-workstation-17

create script

dom0: nano ~/ssh-setup.sh

print the following

#!/bin/sh
qvm-clone debian-12-minimal deb-12-mini-ssh-keyring
echo 'sudo apt-get -y install socat ssh-askpass-gnome libnotify-bin' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm deb-12-mini-ssh-keyring ~/ssh.sh
qvm-run -u root deb-12-mini-ssh-keyring /home/user/QubesIncoming/dom0/ssh.sh
echo '#
#!/bin/sh
notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' > ~/qubes.SshAgent
chmod 700 ~/qubes.SshAgent
qvm-move-to-vm deb-12-mini-ssh-keyring ~/qubes.SshAgent
qvm-run -u root deb-12-mini-ssh-keyring "sudo mv /home/user/QubesIncoming/dom0/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent"
qvm-run deb-12-mini-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown deb-12-mini-ssh-keyring

qvm-clone whonix-workstation-17 workstation-ssh
echo 'sudo apt-get -y install openssh-client' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm workstation-ssh ~/ssh.sh
qvm-run workstation-ssh /home/user/QubesIncoming/dom0/ssh.sh
echo '#
SSH_VAULT_VM="app-ssh-keyring"
export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM
rm -f $SSH_AUTH_SOCK
umask 177 && socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &' > ~/90x11-common_ssh-agent
qvm-move-to-vm workstation-ssh ~/90x11-common_ssh-agent
qvm-run workstation-ssh "sudo mv /home/user/QubesIncoming/dom0/90x11-common_ssh-agent /etc/X11/Xsession.d/90x11-common_ssh-agent"
qvm-run workstation-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-ssh

qvm-create -C AppVM -l blue -t deb-12-mini-ssh-keyring app-ssh-keyring
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -c
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm app-ssh-keyring ~/ssh-add.desktop
qvm-run app-ssh-keyring "mkdir -p /home/user/.config/autostart"
qvm-run app-ssh-keyring "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run app-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown app-ssh-keyring

qvm-create -C AppVM -l yellow -t workstation-ssh workstation-dvm-ssh
qvm-prefs workstation-dvm-ssh template_for_dispvms true
qvm-prefs workstation-dvm-ssh netvm none
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -L
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm workstation-dvm-ssh ~/ssh-add.desktop
qvm-run workstation-dvm-ssh "mkdir -p /home/user/.config/autostart"
qvm-run workstation-dvm-ssh "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run workstation-dvm-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-dvm-ssh

qvm-create -C DispVM -l orange -t workstation-dvm-ssh disp-ssh
qvm-prefs disp-ssh netvm sys-whonix

save & exit

run the script

dom0: chmod 700 ~/ssh-setup.sh
dom0: ~/ssh-setup.sh

while you wait open a terminal & create a policy

dom0: nano /etc/qubes/policy.d/50-ssh.policy

print

qubes.SshAgent	*	disp-ssh	@default	ask	default_target=>
qubes.SshAgent	*	disp-ssh	app-ssh-keyring	ask
qubes.SshAgent	*	@anyvm	app-ssh-keyring	deny

save & exit

open a terminal

dom0: qvm-run app-ssh-keyring xterm

generate key

xterm: ssh-keygen -t ed25519 -a 500

hit enter on the first prompt
enter a password on the second prompt

copy the public key to the client vm

xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub
xterm: exit

open a terminal

dom0: qvm-run disp-ssh xfce4-terminal

output the key in terminal

xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub

copy the key and paste it to wherever is appropriate

shutdown the qube

dom0: qvm-shutdown app-ssh-keyring disp-ssh

now run the dispvm

dom0: qvm-run disp-ssh xfce4-terminal

you will be prompted to select vault qube
you will be prompted to enter the password
this will be the only thing to do to retrieve the keys

example to establish connection

xfce4-terminal: ssh user@ip.adress

Your original post was wrongly formatted. I tried to correct it a bit, but may I suggest you to learn how to format your post with markdown and rewrite it?

1 Like

A solid first step would be sending a direct message to discobot:

better?

1 Like

and do what?
i find it quite funny that you want me to improve my instructions then dont provide any of your own.
what am i suppose to ask the bot?

It used to be self explanatory, since the bot answers you via PM.

1 Like

hmm ok, thanks.
il check into that.
for some reason i cant even load the page at the moment.

but if thats the answer im still not sure what im suppose to ask the bot.

Yes.