mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2024-12-28 16:59:31 -05:00
Mention SSH Control
Signed-off-by: tommytran732 <contact@tommytran.io>
This commit is contained in:
parent
4a00b7ec5b
commit
be8b5a7cff
@ -19,14 +19,18 @@ Note that if you already have a PGP key with a passphrase, you can remove it by
|
||||
|
||||
This part is based on the Qubes Community's [guide](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/split-ssh.md); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair.
|
||||
|
||||
In `dom0`:
|
||||
### In `dom0`
|
||||
|
||||
- Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys ar not passphrase protected, you should **not** set the policy to allow.
|
||||
|
||||
In `vault` AppVM:
|
||||
### In `vault` AppVM:
|
||||
- Add `enable-ssh-support` to the end of `~/.gnupg/gpg-agent.conf`
|
||||
- Get your keygrip with `gpg --with-keygrip -k`
|
||||
- Add your keygrip to the end of `~/.gnupg/sshconrol`
|
||||
|
||||
In `vault`'s TemplateVM:
|
||||
~[PGP Keygrip](/images/keygrip.png)
|
||||
|
||||
### In `vault`'s TemplateVM:
|
||||
|
||||
- Create `/etc/qubes-rpc/qubes.SshAgent` with the following content:
|
||||
```bash
|
||||
@ -48,7 +52,7 @@ socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
|
||||
- Make it executable with `sudo chmod +x /etc/qubes-rpc/qubes.SshAgent`
|
||||
- Turn off the templateVM. If the `vault` VM is running, turn it off, then start it to update the VM's configuration.
|
||||
|
||||
In `ssh-client` AppVM:
|
||||
### In `ssh-client` AppVM:
|
||||
|
||||
- Add the following to the end of `/rw/config/rc.local`:
|
||||
```bash
|
||||
|
BIN
static/images/keygrip.png
Normal file
BIN
static/images/keygrip.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 48 KiB |
Loading…
Reference in New Issue
Block a user