Split SSH

apparatus · November 15, 2024, 12:51pm

In the ssh-client qube:
https://manpages.debian.org/bullseye/openssh-client/ssh_config.5.en.html

I think you’re describing identity files (e.g. ~/.ssh/id_ed25519) and not ssh user config file ~/.ssh/config.

tanky0u · November 15, 2024, 1:41pm

I am describing the “user’s configuration file (~/.ssh/config)”, in the link you gave

Here’s an example from one of my ssh qubes (non split-ssh qube setup)

# content of ~/.ssh/config file
Host myvps
        User            user
        Hostname    somelong.onion
        IdentityFile    ~/.ssh/myvps_ed25519

Once I have this file, in my ssh qube (again, non split-ssh), I simply do the command

ssh myvps

and the ssh stuff automatically uses my username and hostname (ssh target) strings.

So, where does this file go? Because, with split-ssh setup, the IdentityFile (ie, the ssh privkey) is located in the vault qube, and not on the ssh-client qube. So, on ssh-client qube, the ~/.ssh/myvps_ed25519 would be a non-existent file?

apparatus · November 15, 2024, 1:58pm

Maybe you need to remove IdentityFile from your config and the ssh in your vault will pick the private key with corresponding User and Hostname provided by ssh client.
But it’s just a guess, try it out to make sure.

tanky0u · November 16, 2024, 9:45am

I tested my setup. The ~/.config/ssh file I provided here stays the same. I only moved the private and public ssh keys to the vault qube.

I also didn’t use /rw/config/rc.local changes, and instead, moved the script that goes in there in the original guide into ~/.config/autostart/split-ssh.desktop.

And lastly, I enveloped the whole ~/.ssh directory into an encrypted tomb. So I first deliberately unearth the ~/.ssh contents from its tomb in the vault qube, then, I am able to use the split-ssh from that vault.

tanky0u · November 17, 2024, 6:14pm

Split-ssh is amazing. I should’ve started using this earlier. Now, not only am I able to confirm/deny whenever a qube of mine tries to fetch my ssh keys from the vault qube, I also get a desktop notification whenever a qube accesses my ssh keys. This is great for keeping an eye on which qubes and which processes might be trying to pull your secrets in the background.

I am much more motivated to look into split-gpg now!

qubes_wannabe · December 8, 2024, 8:13pm

This is a great guide! Thank you.

I have just 1 remark that maybe can be useful to others:

Remark

As is, the guide fails to work with a Whonix appVM, because Whonix_Workstation uses zsh and not bash and therefore it does not execute ~/.bashrc.

Solution: In the section In the AppVM ssh-client of the guide, instead of

Edit ~/.bashrc

do

Edit ~/.profile

adding the same content:

# SPLIT SSH CONFIGURATION >>>
# replace "vault" with your AppVM name which stores the ssh private key(s)
SSH_VAULT_VM="vault"

if [ "$SSH_VAULT_VM" != "" ]; then
  export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
fi
# <<< SPLIT SSH CONFIGURATION

tanky0u · December 9, 2024, 10:15am

I put that into ~/.zshrc. The ~/.profile was behaving erratically on me; not applying its changes some of the times even after I start a terminal in the qube.

quazzle · January 15, 2025, 3:25am

For the ssh-client AppVM, instead of changing rc.local and .bashrc, I’d suggest replacing the file /etc/X11/Xsession.d/90x11-common_ssh-agent in the template with

SSH_VAULT_VM="vault"
export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM
rm -f $SSH_AUTH_SOCK
umask 177 && socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &

This file normally starts ssh-agent and so has the added benefit that you won’t be needlessly running a local ssh-agent.

sm95 · January 20, 2025, 6:25pm

This would impact all VMs using that template, wouldn’t it? Not all VMs using a template need to be targeting the ssh-agent and split-ssh vault qube. At least, this is the case for my setup.

quazzle · January 20, 2025, 8:33pm

Yes it affects all VMs using the template. But I don’t really see a use case where you’d have split ssh set up and want some VMs to use the local ssh-agent, i.e. a mix of split and non-split ssh. Certainly many VMs don’t need ssh at all but this setup wouldn’t impact those VMs. You either run an unneeded ssh-agent in those VMs or an unneeded split ssh proxy.

TommyTran732 · January 28, 2025, 2:13pm

Shouldn’t the policies be target_default instead of target?

phantom · March 11, 2025, 4:51pm

To prefill the input field of the dialog box with the qube holding the SSH keys, it should be default_target. So this example:

qubes.SshAgent * @anyvm @anyvm ask target=vault

Should actually be written like this:

qubes.SshAgent * @anyvm @anyvm ask default_target=vault

tanky0u · March 14, 2025, 7:12pm

yes I switched to using default_target as well