SSH client with KeePassXC based on a minimal Debian template

I tried to move my ssh and vault AppVMs based on a (default) Debian 11 template to minimal Debian templates. My setup is based on split-ssh (Forum thread) .

Naming:

  • vault : previous (default) vault based on the standard Debian template
  • ssh : new ssh AppVM based on deb-11-m-ssh
  • deb-11-m-ssh : new minimal Debian 11 template for ssh (only)
  • secrets : new “vault” AppVM based on deb-11-m-secrets
  • deb-11-m-secrets : new minimal Debian 11 template for secrets (only)

Checks I did:
In the ssh terminal, checking the agent identities with:
ssh-add -L
works fine with interconnection to vault - returns my ssh key.

In the ssh terminal, checking the agent identities with:
ssh-add -L
does not work with interconnection to secrets - returns error fetching identities: communication with agent failed.

Therefore, I do expect a missing installation or configuration in either the secrets AppVM or in the deb-11-m-secrets template.

What I did:

Configuration in dom0:

  • in /etc/qubes-rpc/policy/qubes.SshAgent
    @anyvm @anyvm ask

Installed packages in deb-11-m-secrets:

  • qubes-core-agent-networking
  • gnupg
  • policykit-1
  • libblockdev-crypto2
  • ssh
  • ssh-askpass-gnome

Configuration in deb-11-m-secrets:

user@deb-11-m-secrets:~$ sudo gedit /etc/qubes-rpc/qubes.SshAgent
#!/bin/sh
# Qubes App Split SSH Script

# safeguard - Qubes notification bubble for each ssh request
notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"

# SSH connection
socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
user@deb-11-m-secrets:~$ sudo chmod +x /etc/qubes-rpc/qubes.SshAgent

Configuration in ssh:

user@ssh:~$ sudo gedit /rw/config/rc.local

added to file:

# SPLIT SSH CONFIGURATION >>>
# replace "vault" with your AppVM name which stores the ssh private key(s)
SSH_VAULT_VM="secrets"

if [ "$SSH_VAULT_VM" != "" ]; then
  export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
  rm -f "$SSH_SOCK"
  sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
fi
# <<< SPLIT SSH CONFIGURATION

and in

user@ssh:~$ gedit ~/.bashrc

added

# SPLIT SSH CONFIGURATION >>>
# replace "vault" with your AppVM name which stores the ssh private key(s)
SSH_VAULT_VM="secrets"

if [ "$SSH_VAULT_VM" != "" ]; then
  export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
fi
# <<< SPLIT SSH CONFIGURATION

followed by the KeePassXC configuration. Got graphical feedback with KeePassXC UI “SSH Agent connection is working!” and the pre-test also returns correctly my ssh key (within the secrets AppVM).

Consequently, my guess is that I am missing a package in my deb-11-m-ssh template. What do you think? Any further test I can do?

1 Like

@fsflover any hint what package I miss?

Sorry, this is beyond my knowledge of Qubes and Linux. I hope someone else could help you.

In a case of a missing package I always try to meld diffs between working and non-working cloned template, then using common sense install one by one in a clone and try it.
VM interconnection setup error like yours should narrow enough your search for a missing package. I’d start with qubes repo packages diffs.

1 Like

I have spent 2,5 days now to check, compare install and remove packages and checked 10 times the config files (in the AppVM, TemplateVM). I am still not able to get it working with the minimal template setup. I pause here and hope that someone who has a working minimal debian split-ssh setup read the post. :crossed_fingers:

1 Like

I remember having this problem, here’s my fix (run as root in deb-11-m-secrets):

chmod 755 /usr/bin/ssh-agent

Then shutdown the template and restart the vm.

Thanks for this tip, unfortunately, this does not fix it on my side.

In my working (ordinary) debian-11 template it is also not set to chmod 755.

  • ssh (appVM based on deb-11-m-ssh) > vault (appVM based on debian-11): works.

  • ssh (appVM based on deb-11-m-ssh) > secrets (appVM based on debian-11): does not work. Returns “error fetching identities: communication with agent failed

Do you have a working ssh with secrets AppVM based on a minimal Debian? If yes, could you please share your installed packages (for both templates deb-11-m-ssh and deb-11-m-secrets)?