mirror of https://github.com/Qubes-Community/Contents.git synced 2024-10-01 01:05:51 -04:00

2020-11-18 09:27:33 +00:00

14 KiB

Raw Blame History

Qubes Split SSH

This Qubes setup allows you to keep SSH private keys in a vault VM (vault) and SSH Client VM (ssh-client) to use them only after being authorized. This is done by using Qubes's qrexec framework to connect a local SSH Agent socket from an AppVM to the SSH Agent socket within the vault VM.

Overview

Make sure the TemplateVM you plan to use is up to date and nmap and ncat is installed.
Create vault and ssh-client AppVMs.
Create an ssh key in your vault AppVM and set up automatic key adding prompt.
Set up VM interconnection
(Strongly Encouraged) Create a KeePassXC Database and set up SSH Agent Integration in KeePassXC.

Prepare Your System

(Optional) Take a system snapshot before you start tuning your system or do any major installations. To perform a Qubes OS backup please read and follow this guide in the User Documentation.

Make sure the TemplateVM you plan to use is up to date.

For Fedora templates:

[user@fedora-32 ~]$ sudo dnf update && sudo dnf upgrade -y

For Debian templates:

user@debian-10:~$ sudo apt-get update && sudo apt-get upgrade

Make sure nmap and ncat is installed in your TemplateVM

For Fedora templates:

[user@fedora-32 ~]$ sudo dnf install nmap-ncat

For Debian templates:

user@debian-10:~$ sudo apt-get install nmap ncat

If you don't plan to use KeePassXC, install ssh-askpass.

For Fedora templates:

[user@fedora-32 ~]$ sudo dnf install openssh-askpass

For Debian templates:

user@debian-10:~$ sudo apt-get install ssh-askpass

Creating AppVMs

If you’ve installed Qubes OS using the default options, a few qubes including a vault AppVM has been created for you. Skip the first step if you don't wish to create another vault.

Create a new vault AppVM (vault) based on your chosen template. Set networking to (none).
Create a SSH Client AppVM (ssh-client). This VM will be used to make the SSH connection to your remote machine.

Setting up SSH

Perform the next steps in a vault VM terminal.

Generate an SSH key pair. Skip this step if you already have your keys.

[user@vault ~]$ ssh-keygen -t ed25519 -a 500
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): 
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:DBxSxZcp16d1NSVSid3m8HRipUDM2INghQ4Sx3jPEDo user@vault
The key's randomart image is:
+--[ED25519 256]--+
|    o==+++.@++o=*|
|    o==o+ B BoOoB|
|    Eoo* +   *.O.|
|     . o+   .   o|
|        S        |
|                 |
|                 |
|                 |
|                 |
+----[SHA256]-----+

-t: type
-a: num_trials

Please note that the key fingerprint and the randomart image will differ.

For more information about ssh-keygen, run man ssh-keygen.

Notice: You can skip the following steps if you plan on using KeePassXC.

Make a new directory ~/.config/autostart

[user@fedora-32 ~]$ mkdir -p ~/.config/autostart

Create the file ssh-add.desktop in ~/.config/autostart
- Open the file with e.g. nano
```
[user@fedora-32 ~]$ nano ~/.config/autostart/ssh-add.desktop
```
- Paste the following contents:
```
[Desktop Entry]
Name=ssh-add
Exec=ssh-add
Type=Application
```
Note: If you've specified a custom name for your key using -f, you should adjust Exec=ssh-add to Exec=ssh-add <path-to-your-key-file>.
- Save and exit.

With this configuration you'll be prompted for a password the first time you start your vault VM to be able to make use of your SSH key.

Setting Up VM Interconnection

In the TemplateVM to your vault VM:

Create the file qubes.SshAgent in /etc/qubes-rpc

Open the file with e.g. nano

[user@fedora-32 ~]$ sudo nano /etc/qubes-rpc/qubes.SshAgent

Paste the following contents:

#!/bin/sh
# Qubes App Split SSH Script

# safeguard - Qubes notification bubble for each ssh request
notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN"

# SSH connection
ncat -U $SSH_AUTH_SOCK

Save and exit.

Shutdown the template VM.

In `dom0`:

Create the file qubes.SshAgent in /etc/qubes-rpc
- Open the file with your editor of choice (e.g. nano).
```
[user@fedora-32 ~]$ sudo nano /etc/qubes-rpc/qubes.SshAgent
```
- If you want to explicitly allow only this connection, add the following line:
```
ssh-client vault ask
```
- If you want to allow all VMs to connect, add the following line:
```
@anyvm @anyvm ask
```
- If you want the input field to be "prefilled" by your vault VM, append default_target=vault so it looks like for example:
```
@anyvm @anyvm ask,default_target=vault
```
- Save and exit.
Note: There are many ways to fine-tune this policy. For more details see Qubes qrexec documentation.
Close the terminal. Do not shutdown dom0.

In a SSH Client AppVM terminal

Theoretically, you can use any AppVM but to increase security it is advised to create a dedicated AppVM for your SSH connections. Furthermore, you can set different firewall rules for each VM (i.e. for intranet and internet connections) which also provides additional protection.

Edit /rw/config/rc.local

Open the file with your editor of choice (e.g. nano).

[user@ssh-client ~]$ sudo nano /rw/config/rc.local

Add the following to the bottom of the file:

# SPLIT SSH CONFIGURATION >>>
# replace "vault" with your AppVM name which stores the ssh private key(s)
SSH_VAULT_VM="vault"

if [ "$SSH_VAULT_VM" != "" ]; then
  export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
  rm -f "$SSH_SOCK"
  sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '$SSH_SOCK' -c 'qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent' &"
fi
# <<< SPLIT SSH CONFIGURATION

Save and exit.

Edit ~/.bashrc

Open the file with your editor of choice (e.g. nano).
```
[user@ssh-client ~]$ nano ~/.bashrc
```

Add the following to the bottom of the file:

# SPLIT SSH CONFIGURATION >>>
# replace "vault" with your AppVM name which stores the ssh private key(s)
SSH_VAULT_VM="vault"

if [ "$SSH_VAULT_VM" != "" ]; then
    export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
fi
# <<< SPLIT SSH CONFIGURATION

Save and exit.

Using KeePassXC

Warning: This part is for setting up KeePassXC, not KeePassX or KeePass. See the KeePassXC FAQ.

KeePassXC should be installed by default in both Fedora and Debian TemplateVMs. If this changes in the future and you find that it isn't, it can be installed with:

For Fedora templates:
```
[user@fedora-32 ~]$ sudo dnf install keepassxc
```
For Debian templates:
```
user@vault-deb:~$ sudo apt-get install keepassxc
```
If you have another template check the KeePassXC download page for instructions.
Add KeepasXC to the Applications menu of the newly created AppVM for ease of access.

Note: Since the vault VM has no internet connection, you can safely deny automatic updates.

Create a new database.
Enter a name for your database and continue.
Adjust the encryption settings. Check the KeePassXC User Guide for more information about these settings.
Enter a password for your database. Take your time make a secure but also rememberable password. (hint)
Add a new entry.
Set password to your SSH key passphrase.
Go into the Advanced section and add your keys.

Note: You only need to add the private key (id_25519 here) but if you want to be able to simply back up both your private and public key (myssh_key.pub) by backing up your KeePassXC database (*.kdbx file) you can add that too.
Enable "SSH Agent Integration" within the Application Settings.
Restart KeePassXC
Check the SSH Agent Integration status.

Select your private key in the "SSH Agent" section.

Testing the KeePassXC Setup

Close your KeePassXC database and run ssh-add -L. It should return The agent has no identities.
```
[user@vault ~]$ ssh-add -L
The agent has no identities.
```
Unlock your KeePassXC database and run ssh-add -L again. This time it should return your public key.
```
[user@vault ~]$ ssh-add -L
ssh-ed25519 <public key string> user@vault-keepassxc
```

Test Your Configuration

Shutdown your vaultVM.
Try fetching your identities on the SSH Client VM.
```
[user@ssh-client ~]$ ssh-add -L
```
Allow operation execution

Check if it returns error fetching identities: communication with agent failed

Start your vaultVM and unlock your KeePassXC database.
Try fetching your identities on the SSH Client VM.
```
[user@ssh-client ~]$ ssh-add -L
```
Allow operation execution

Check if it returns ssh-ed25519 <public key string>

(Optional) Backing Up the Configuration

System Backup

Start a system backup as per the User Documentation.

KeePassXC Database Backup

You can also only back up your *.kdbx file.

Depending on your threat model you can:

Hide the *.kdbx file by simply renaming the file extension (e.g. *.zip)
Add an additional security layer by adding a second encryption layer (e.g. VeraCrypt, *.7z with password)
Upload the *.kdbx to an end-to-end-encrypted email box (e.g. Tutanota, ProtonMail)

Want more Qubes split magic? Check out Split-GPG.

This guide has been inspired by:

Qubes Split SSH (Github: Jason Hennessey - henn) https://github.com/henn/qubes-app-split-ssh

Using split ssh in QubesOS 4.0 (Kushal Das) https://kushaldas.in/posts/using-split-ssh-in-qubesos-4-0.html

Using Split-SSH in Qubes 4 (Denis Zanin) https://deniszanin.com/using-split-ssh-gpg-in-qubes-os/

R.I.S.K.S. https://19hundreds.github.io/risks-workflow/ssh-split-setup

Qubes Community: Phil (phl), deeplow, whoami, santorihelix https://qubes-os.discourse.group/

14 KiB Raw Blame History Unescape Escape

Qubes Split SSH

Overview

Prepare Your System

Creating AppVMs

Setting up SSH

Setting Up VM Interconnection

In the TemplateVM to your vault VM:

In dom0:

In a SSH Client AppVM terminal

Using KeePassXC

Testing the KeePassXC Setup

Test Your Configuration

(Optional) Backing Up the Configuration

System Backup

KeePassXC Database Backup

14 KiB

Raw Blame History

In `dom0`: