split-ssh setup
end result will yield
client: whonix-workstation - dispsvm
vault: debian-12-minimal - appvm
starting client vm will automatically prompt for vault vm
choosing the vault cm will automatically start vault vm and prompt for password
before you start
update or install & update debian-12-minimal & whonix-workstation-17
create script
dom0: nano ~/ssh-setup.sh
print the following
#!/bin/sh
qvm-clone debian-12-minimal deb-12-mini-ssh-keyring
echo 'sudo apt-get -y install socat ssh-askpass-gnome libnotify-bin' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm deb-12-mini-ssh-keyring ~/ssh.sh
qvm-run -u root deb-12-mini-ssh-keyring /home/user/QubesIncoming/dom0/ssh.sh
echo '#
#!/bin/sh
notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' > ~/qubes.SshAgent
chmod 700 ~/qubes.SshAgent
qvm-move-to-vm deb-12-mini-ssh-keyring ~/qubes.SshAgent
qvm-run -u root deb-12-mini-ssh-keyring "sudo mv /home/user/QubesIncoming/dom0/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent"
qvm-run deb-12-mini-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown deb-12-mini-ssh-keyring
qvm-clone whonix-workstation-17 workstation-ssh
echo 'sudo apt-get -y install openssh-client' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm workstation-ssh ~/ssh.sh
qvm-run workstation-ssh /home/user/QubesIncoming/dom0/ssh.sh
echo '#
SSH_VAULT_VM="app-ssh-keyring"
export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM
rm -f $SSH_AUTH_SOCK
umask 177 && socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &' > ~/90x11-common_ssh-agent
qvm-move-to-vm workstation-ssh ~/90x11-common_ssh-agent
qvm-run workstation-ssh "sudo mv /home/user/QubesIncoming/dom0/90x11-common_ssh-agent /etc/X11/Xsession.d/90x11-common_ssh-agent"
qvm-run workstation-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-ssh
qvm-create -C AppVM -l blue -t deb-12-mini-ssh-keyring app-ssh-keyring
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -c
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm app-ssh-keyring ~/ssh-add.desktop
qvm-run app-ssh-keyring "mkdir -p /home/user/.config/autostart"
qvm-run app-ssh-keyring "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run app-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown app-ssh-keyring
qvm-create -C AppVM -l yellow -t workstation-ssh workstation-dvm-ssh
qvm-prefs workstation-dvm-ssh template_for_dispvms true
qvm-prefs workstation-dvm-ssh netvm none
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -L
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm workstation-dvm-ssh ~/ssh-add.desktop
qvm-run workstation-dvm-ssh "mkdir -p /home/user/.config/autostart"
qvm-run workstation-dvm-ssh "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run workstation-dvm-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-dvm-ssh
qvm-create -C DispVM -l orange -t workstation-dvm-ssh disp-ssh
qvm-prefs disp-ssh netvm sys-whonix
save & exit
run the script
dom0: chmod 700 ~/ssh-setup.sh
dom0: ~/ssh-setup.sh
while you wait open a terminal & create a policy
dom0: nano /etc/qubes/policy.d/50-ssh.policy
qubes.SshAgent * disp-ssh @default ask default_target=>
qubes.SshAgent * disp-ssh app-ssh-keyring ask
qubes.SshAgent * @anyvm app-ssh-keyring deny
save & exit
open a terminal
dom0: qvm-run app-ssh-keyring xterm
generate key
xterm: ssh-keygen -t ed25519 -a 500
hit enter on the first prompt
enter a password on the second prompt
copy the public key to the client vm
xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub
xterm: exit
open a terminal
dom0: qvm-run disp-ssh xfce4-terminal
output the key in terminal
xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub
copy the key and paste it to wherever is appropriate
shutdown the qube
dom0: qvm-shutdown app-ssh-keyring disp-ssh
now run the dispvm
dom0: qvm-run disp-ssh xfce4-terminal
you will be prompted to select vault qube
you will be prompted to enter the password
this will be the only thing to do to retrieve the keys
example to establish connection
xfce4-terminal: ssh user@ip.adress