refactor: initial commit

salt/sys-ssh-agent/README.md

@@ -0,0 +1,233 @@
+# sys-ssh-agent
+
+SSH Agent through Qrexec in Qubes OS.
+
+## Table of Contents
+
+* [Description](#description)
+* [Security](#security)
+* [Installation](#installation)
+* [Access Control](#access-control)
+* [Usage](#usage)
+  * [Server](#server)
+    * [Generate keys](#generate-keys)
+    * [Limit key usage](#limit-key-usage)
+    * [Reload agent](#reload-agent)
+    * [Debug Agent side](#debug-agent-side)
+  * [Client](#client)
+    * [Enable and Start the service](#enable-and-start-the-service)
+    * [Single agent per client](#single-agent-per-client)
+    * [Multiple agents per client](#multiple-agents-per-client)
+* [Credits](#credits)
+
+## Description
+
+The key pairs are stored on the offline ssh-agent server named
+"sys-ssh-agent", and requests are passed from clients to the server via
+Qrexec. Clients may access the same ssh-agent of a qube, or access different
+agents. In other words, this is an implementation of split-ssh-agent.
+
+The client does not know the identity of the ssh-agent server, nor are keys
+kept in memory in the client. This method is ideal for cases where you have a
+number of key pairs, which are used by different qubes.
+
+A centralized SSH server is very useful not only for keeping your private keys
+safe, but also for keeping your workflow organized. You can delete qubes that
+are SSH clients without loosing access to your remote server, because the
+authentication keys are on the sys-ssh-agent server, your client qube should
+only hold the SSH configuration, which can be reconstructed.
+
+## Security
+
+The private keys are never stored in the client qube, not even in memory, but
+certain attack scenarios are still possible because there is no filtering
+proxy, in fact the client controls the agent in the server it is connecting
+to.
+
+A rogue client has full control of the allowed agent, therefore it can:
+
+1. Use the keys for as long as the client runs;
+2. Lock the agent with `ssh-add -X`; and
+3. Delete keys from memory by issuing `ssh-add -D`
+
+## Installation
+
+- Top:
+```sh
+qubesctl top.enable sys-ssh-agent
+qubesctl --targets=tpl-sys-ssh-agent,sys-ssh-agent state.apply
+qubesctl top.disable sys-ssh-agent
+```
+
+- State:
+<!-- pkg:begin:post-install -->
+```sh
+qubesctl state.apply sys-ssh-agent.create
+qubesctl --skip-dom0 --targets=tpl-sys-ssh-agent state.apply sys-ssh-agent.install
+qubesctl --skip-dom0 --targets=sys-ssh-agent state.apply sys-ssh-agent.configure
+```
+<!-- pkg:end:post-install -->
+
+Installation on the client template:
+```sh
+qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh-agent.install-client
+```
+
+## Access Control
+
+_Default policy_: `deny` `all` requests requesting to use the
+`qusal.SshAgent` RPC service.
+
+As the default policy does not configure any allow rule, you are responsible
+for doing so.
+
+Allow access to the specified agent based on the qube tag:
+```qrexecpolicy
+qusal.SshAgent +work     @tag:work     @default allow target=sys-ssh-agent
+qusal.SshAgent +work     @anyvm        @anyvm   deny
+qusal.SshAgent +personal @tag:personal @default ask   target=sys-ssh-agent default_target=sys-ssh-agent
+qusal.SshAgent +personal @anyvm        @anyvm   deny
+```
+
+Ask access from `untrusted` qubes to the untrusted agent:
+```qrexecpolicy
+qusal.SshAgent +untrusted untrusted    @default ask target=sys-ssh-agent default_target=sys-ssh-agent
+qusal.SshAgent +untrusted @anyvm       @anyvm   deny
+```
+
+Ask access from `trusted` to use the agent `trusted` on the alternative qube agent named `sys-ssh-agent-trusted`:
+```qrexecpolicy
+qusal.SshAgent +trusted    trusted     @default ask target=sys-ssh-agent-trusted default_target=sys-ssh-agent-trusted
+qusal.SshAgent +trusted    @anyvm      @anyvm   deny
+```
+
+Always recommended to end with an explicit deny rule:
+```qrexecpolicy
+qusal.SshAgent *         @anyvm        @anyvm   deny
+```
+
+## Usage
+
+### Server
+
+#### Generate keys
+
+Keys can be selectively allocated to different ssh-agents by adding them to
+different directories under `~/.ssh/identities.d/<AGENT>`, where the `<AGENT>`
+directory should  have the same name as the agent itself. Example:
+`~/.ssh/identities.d/work`.
+
+Import preexisting keys to the agent directory or generate keys for a specific
+agent:
+```sh
+mkdir -m 0700 -p ~/.ssh/identities.d/<AGENT>
+ssh-keygen -t ed25519 -f ~/.ssh/identities.d/<AGENT>/id_example
+```
+
+You would do the following for the `work` agent:
+```sh
+mkdir -m 0700 -p ~/.ssh/identities.d/work
+ssh-keygen -t ed25519 -f ~/.ssh/identities.d/work/id_example
+```
+
+#### Limit key usage
+
+For exceptionally valuable keys you may want to limit the time that they are
+available and the agent forwarding permission to different hosts.
+
+You can set custom options by writing them to a file on the same path of the
+private key, but ending with the suffix `.ssh-add-option`. If the key is named
+`id_ed25519`, the option file should be named `id_ed25519.ssh-add-option`.
+The `.ssh-add-option` file has the following format:
+```sh
+# id_ed25519.ssh-add-option
+-q -t 600
+-h "perseus@cetus.example.org" -h "scylla.example.org"
+-h "scylla.example.org>medea@charybdis.example.org"
+```
+
+Or you can manually add the key to the agent which are not located under the
+`~/.ssh/identities.d` directory so they aren't automatically added (substitute
+AGENT, SECS, and LIFE for their appropriate values):
+```sh
+SSH_AUTH_SOCK="/run/user/1000/qubes-ssh-agent/<AGENT>.sock" ssh-add -t <SECS> -f <FILE>
+```
+
+#### Reload agent
+
+The keys are added to the agent on the first call to that specific agent.
+If you have added keys to the correct agent directory but haven't rebooted
+yet, you will have to add the keys by executing:
+```sh
+qvm-ssh-agent reload <AGENT>
+qvm-ssh-agent reload work
+```
+
+#### Debug Agent side
+
+You can list agents and their keys with:
+```sh
+qvm-ssh-agent ls <AGENT>
+```
+
+Follow SSH agents journal:
+```sh
+journalctl --user -fu qubes-ssh-agent@*.service
+```
+
+### Client
+
+#### Enable and Start the service
+
+Enable and start the connection to the SSH Agent via Qrexec for specified
+`<AGENT>`:
+```sh
+sudo systemctl --no-block restart qubes-ssh-agent-forwarder@<AGENT>.service
+sudo systemctl --no-block restart qubes-ssh-agent-forwarder@personal.service
+```
+You can start the service on boot if you place the above line
+`/rw/config/rc.local` of the client.
+
+The ssh-agent socket will be at `/tmp/qubes-ssh-agent-forwarder/<AGENT>.sock`.
+
+You can test the connection is working with:
+```sh
+SSH_AUTH_SOCK="/tmp/qubes-ssh-agent-forwarder/personal.sock" ssh-add -l
+```
+
+#### Single agent per client
+
+You might want to set the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment
+variables to point to the `work` agent so every connection will use the same
+agent:
+```sh
+echo 'export SSH_AUTH_SOCK=/tmp/qubes-ssh-agent-forwarder/work.sock;
+SSH_AGENT_PID="$(pgrep -f "/tmp/qubes-ssh-agent-forwarder/work.sock")";
+' | tee -a ~/.profile
+```
+
+#### Multiple agents per client
+
+In case you have multiple agents that you want to use in the same client,
+messing with the environment every time you want to make a connection to a
+different agent is not an alternative. Instead, use SSH client native method,
+the `IdentityAgent` option.
+
+You can control the SSH agent via SSH command-line option:
+```sh
+ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/personal.sock personal-site.com
+ssh -o IdentityAgent=/tmp/qubes-ssh-agent-forwarder/work.sock work-site.com
+```
+You can control the SSH agent via SSH configuration:
+```sshconfig
+Host personal
+        IdentityAgent /tmp/qubes-ssh-agent-forwarder/personal.sock
+        ...
+Host work
+        IdentityAgent /tmp/qubes-ssh-agent-forwarder/work.sock
+        ...
+```
+
+## Credits
+
+- [Unman](https://github.com/unman/qubes-ssh-agent)

salt/sys-ssh-agent/clone.sls

@@ -0,0 +1,8 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% from 'utils/macros/clone-template.sls' import clone_template -%}
+{{ clone_template('debian-minimal', sls_path) }}

salt/sys-ssh-agent/clone.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh-agent.clone

salt/sys-ssh-agent/configure.sls

@@ -0,0 +1,29 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - dev.home-cleanup
+  - dotfiles.copy-x11
+
+"{{ slsdotpath }}-create-ssh-directory":
+  file.directory:
+    - name: /home/user/.ssh
+    - mode: '0700'
+    - user: user
+    - group: user
+    - makedirs: True
+
+"{{ slsdotpath }}-create-keys-directory":
+  file.directory:
+    - name: /home/user/.ssh/identities.d
+    - mode: '0700'
+    - user: user
+    - group: user
+    - makedirs: True
+
+{% endif %}

salt/sys-ssh-agent/configure.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'sys-ssh-agent':
+    - sys-ssh-agent.configure

salt/sys-ssh-agent/create.sls

@@ -0,0 +1,38 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{%- from "qvm/template.jinja" import load -%}
+
+include:
+  - .clone
+
+{% load_yaml as defaults -%}
+name: {{ slsdotpath }}
+force: True
+require:
+- sls: {{ slsdotpath }}.clone
+present:
+- template: tpl-{{ slsdotpath }}
+- label: gray
+prefs:
+- template: tpl-{{ slsdotpath }}
+- label: gray
+- netvm: ""
+- memory: 200
+- maxmem: 300
+- vcpus: 1
+features:
+- enable:
+  - servicevm
+- disable:
+  - service.cups
+  - service.cups-browsed
+  - service.tinyproxy
+{%- endload %}
+{{ load(defaults) }}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}

salt/sys-ssh-agent/create.top

@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh-agent.create

salt/sys-ssh-agent/files/admin/policy/default.policy

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qusal.SshAgent * @anyvm  @default ask target={{ sls_path }} default_target={{ sls_path }}
+qusal.SshAgent * @anyvm  @anyvm   deny
+## vim:ft=qrexecpolicy

salt/sys-ssh-agent/files/client/systemd/qubes-ssh-agent-forwarder@.service

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=SSH Agent Forwarder to Qrexec SSH Agent %i
+
+[Service]
+User=user
+Group=user
+Type=simple
+UMask=0177
+ExecStartPre=/usr/bin/mkdir -m 700 -p %T/%p
+ExecStartPre=/usr/bin/ssh-agent -a %T/%p/%i.sock
+ExecStart=/usr/bin/socat UNIX-LISTEN:"%T/%p/%i.sock,unlink-early,reuseaddr,fork" EXEC:"qrexec-client-vm -- @default qusal.SshAgent+%i"
+
+[Install]
+WantedBy=default.target

salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+service="qubes-ssh-agent"
+
+usage(){
+  echo "Usage: ${0##*/} [ls|add] <AGENT>
+  ls: list agent(s)
+  add: add keys to agent(s)
+  reload: reload/readd keys from agent(s)
+Example:
+  ${0##*/} ls work      # list the work agent keys
+  ${0##*/} add work     # add keys to the work agent
+  ${0##*/} reload work  # reload/readd keys from the work agent"
+  exit 1
+}
+
+ls_agent(){
+  socket="/tmp/${service}/$agent.sock"
+  test -S "$socket" || return 1
+  agent="$(echo "$socket" | sed "s|.*${service}/||;s/\.sock//")"
+  echo "Agent: ($agent) $socket"
+  SSH_AUTH_SOCK="$socket" ssh-add -l || true
+}
+
+add_agent(){
+  # shellcheck disable=SC2174
+  mkdir -m 0700 -p "/tmp/${service}"
+  dir="$HOME/.ssh/identities.d/${agent}"
+  if ! test -d "$dir"; then
+    echo "Directory not found: $dir" >&2
+    return 1
+  fi
+  dir="${dir##*/}"
+  socket="/tmp/${service}/${dir}.sock"
+  if ! test -S "$socket"; then
+    reload_agent=1
+    ssh-agent -a "/tmp/${service}/${agent}.sock"
+  fi
+  if ! test "${reload_agent}" = "1"; then
+    return
+  fi
+  keys="$(grep -sl -- "-----BEGIN OPENSSH PRIVATE KEY-----" \
+          "$HOME/.ssh/identities.d/$dir"/* || true)"
+  if test -z "$keys"; then
+    echo "Directory has no key: $dir" >&2
+    return 1
+  fi
+  SSH_AUTH_SOCK="$socket" ssh-add -D 2>/dev/null || true
+  for k in $(printf '%s\n' "$keys"); do
+    test -f "$k" || continue
+    ssh_add_option=""
+    if test -f "$k.ssh-add-option"; then
+      ssh_add_option="$(cat "$k.ssh-add-option")"
+    fi
+    # shellcheck disable=SC2086
+    SSH_AUTH_SOCK="$socket" ssh-add $ssh_add_option "$k"
+  done
+}
+
+test -z "${2-}" && usage
+action="${1-}"
+agent="${2-}"
+reload_agent=""
+
+case "$action" in
+  ls) ls_agent;;
+  add) add_agent;;
+  reload) reload_agent="1"; add_agent;;
+  *) usage;;
+esac

salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+#origin="$QREXEC_REMOTE_DOMAIN"
+agent="$QREXEC_SERVICE_ARGUMENT"
+socket="/tmp/qubes-ssh-agent/${agent}.sock"
+
+qvm-ssh-agent add "${agent}" >/dev/null
+exec socat STDIO UNIX-CLIENT:"$socket"

salt/sys-ssh-agent/init.top

@@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-ssh-agent.create
+  'tpl-sys-ssh-agent':
+    - sys-ssh-agent.install
+  'sys-ssh-agent':
+    - sys-ssh-agent.configure

salt/sys-ssh-agent/install-client.sls

@@ -0,0 +1,53 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - ssh.install
+  - dev.home-cleanup
+  - dotfiles.copy-sh
+  - dotfiles.copy-ssh
+  - dotfiles.copy-x11
+
+"{{ slsdotpath }}-client-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-client-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - socat
+
+{% set pkg = {
+    'Debian': {
+      'pkg': ['procps'],
+    },
+    'RedHat': {
+      'pkg': ['procps-ng'],
+    },
+}.get(grains.os_family) -%}
+
+"{{ slsdotpath }}-client-installed-os-specific":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs: {{ pkg.pkg|sequence|yaml }}
+
+"{{ slsdotpath }}-client-system-systemd-dir":
+  file.recurse:
+    - source: salt://{{ slsdotpath }}/files/client/systemd/
+    - name: /usr/lib/systemd/system/
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - user: root
+    - group: root
+
+{% endif %}

salt/sys-ssh-agent/install-client.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  '*':
+    - sys-ssh-agent.install-client

salt/sys-ssh-agent/install.sls

@@ -0,0 +1,61 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if grains['nodename'] != 'dom0' -%}
+
+include:
+  - ssh.install
+  - dev.home-cleanup
+  - dotfiles.copy-sh
+  - dotfiles.copy-ssh
+  - dotfiles.copy-x11
+
+"{{ slsdotpath }}-updated":
+  pkg.uptodate:
+    - refresh: True
+
+"{{ slsdotpath }}-installed":
+  pkg.installed:
+    - refresh: True
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - socat
+
+"{{ slsdotpath }}-agent-bin-dir":
+  file.recurse:
+    - source: salt://{{ slsdotpath }}/files/server/bin
+    - name: /usr/bin
+    - file_mode: '0755'
+    - user: root
+    - group: root
+
+"{{ slsdotpath }}-install-rpc-service":
+  file.managed:
+    - name: /etc/qubes-rpc/qusal.SshAgent
+    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.SshAgent
+    - mode: '0755'
+    - user: root
+    - group: root
+    - makedirs: True
+
+"{{ slsdotpath }}-skel-create-ssh-directory":
+  file.directory:
+    - name: /etc/skel/.ssh
+    - mode: '0700'
+    - user: user
+    - group: user
+    - makedirs: True
+
+"{{ slsdotpath }}-skel-create-keys-directory":
+  file.directory:
+    - name: /etc/skel/.ssh/identities.d
+    - mode: '0700'
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% endif -%}

salt/sys-ssh-agent/install.top

@@ -0,0 +1,9 @@
+{#
+SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'tpl-sys-ssh-agent':
+    - sys-ssh-agent.install