SSH Agent¶
This VM provides SSH agent access via qrexec
.
The example below uses this names, change as needed:
SSH Agent VM:
sys-ssh-agent
Client VM:
admin
Tag to identify Client VMs:
ssh-agent-client
Create VM¶
In dom0:
qvm-create --label black --property netvm= sys-ssh-agent
(Tested with Debian-based Template only.)
Prepare Template VM¶
Install dependencies:
apt install ncat
Create /etc/qubes-rpc/custom.SshAgent
…:
#!/bin/sh
notify-send "$(qubesdb-read /name): SSH agent access by $QREXEC_REMOTE_DOMAIN"
exec 3>>~/ssh-agent.log
flock -n 3
echo "$(date --rfc-3339=ns): source: $QREXEC_REMOTE_DOMAIN" >&3
exec 3>&-
ncat -U $SSH_AUTH_SOCK
… and make it executable:
chmod +x /etc/qubes-rpc/custom.SshAgent
Setup RPC Policy in Dom0¶
Create /etc/qubes/policy.d/30-custom-ssh-agent.policy
:
# service name|* +argument|* source destination action [options]
custom.SshAgent * @tag:ssh-agent-client sys-ssh-agent allow
Allow VM access (VM admin in this example):
qvm-tags admin add ssh-agent-client
In SSH Agent VM¶
By default the OpenSSH ssh-agent is used. If you prefer to use GnuPG’s agent, add this to ~/.bashrc
:
unset SSH_AGENT_PID
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
Generate a key:
ssh-keygen -t ed25519
Load SSH keys from default locations (OpenSSH only) by adding this to ~/.profile
:
ssh-add -q
Client VM (admin)¶
Create systemd service (~/.config/systemd/user/remote-ssh-agent.service
):
[Unit]
Description=Connect to SSH agent on remote machine.
[Service]
UMask=177
ExecStartPre=-/usr/bin/rm /var/run/user/%U/remote-ssh-agent.socket
ExecStart=/usr/bin/ncat -k -l -U /var/run/user/%U/remote-ssh-agent.socket -c 'qrexec-client-vm sys-ssh-agent custom.SshAgent'
[Install]
WantedBy=default.target
Enable service:
systemctl --user daemon-reload
systemctl --user enable --now remote-ssh-agent
Add to ~/.profile
:
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=/var/run/user/$(id -u)/remote-ssh-agent.socket
In case you want to use the remote agent for Git only:
git config --global core.sshCommand "SSH_AUTH_SOCK=/var/run/user/$(id -u)/remote-ssh-agent.socket SSH_AGENT_PID= ssh"