I did some further investigations to the packages which are installed with
- qubes-core-agent-networking
- qubes-core-agent-network-manager
Now, I can provide a final solution for SSH client with KeePassXC based on a minimal Debian template (based on split-ssh).
The required packages for the deb-11-m-secrets are:
- keepassxc
- ssh-askpass-gnome
- socat (this was the missing package which comes with qubes-core-agent-networking. Actually, it is pretty obvious when you see this image)
for convenience and additional split-gpg usage I have added:
- qubes-core-agent-nautilus
- nautilus
- zenity
- gnupg
- qubes-gpg-split
when using a security token key (i.e. Yubikey):
- qubes-usb-proxy: required to pass through an USB device
- xserver-xorg-input-libinput: only required for static passwords
- policykit-1: only required for challenger response
when using KeepassXC OTP feature:
- systemd-timesyncd
If you find additional fine tuning please let me know.