Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity
224312ed42
qusal/salt/sys-ssh
History
Ben Grande 383c840f2f
doc: lint markdown files 
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
2024-07-04 17:27:31 +02:00
..
files refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
install-client.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
install-client.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: lint markdown files 2024-07-04 17:27:31 +02:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

README.md

sys-ssh

SSH over Qrexec in Qubes OS.

Table of Contents

Description

Creates a SSH server qube named "sys-ssh" to be a central document store to which other qubes have access with SSH File Transfer Protocol, using the tool sshfs. This is a simple tool that allows individual qubes to mount a another qube's filesystem rather than using qvm-copy or qvm-move.

The greatest problem with the Rsync solution is that it makes copies of the files or directories. This may be fine with a small amount of data, but with large files, or large numbers of files, there's a significant overhead. SSH File Transfer Protocol provides a way for clients to access files on the server qube directly.

Installation

  • Top:
sudo qubesctl top.enable sys-ssh
sudo qubesctl --targets=tpl-sys-ssh,sys-ssh state.apply
sudo qubesctl top.disable sys-ssh
  • State:
sudo qubesctl state.apply sys-ssh.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-ssh state.apply sys-ssh.install

Install on the client template:

sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-ssh.install-client

The client qube requires the SSH forwarder service to be enabled:

qvm-features QUBE service.ssh-client 1

Access Control

A qusal.Ssh service is created to allow use of SSH over Qrexec. The default policy asks if you want to connect with the sys-ssh qube.

If you want to allow SSH between qubes, insert in you user policy file /etc/qubes/policy.d/30-user.policy to allow the service using the following format:

qusal.Ssh   * SOURCE @default allow target=TARGET

When the client can change the data on the server, it can also possibly compromise the server or at least make it hold malicious files and propagate the malicious data with clients it is connected to.

Usage

Server

It is possible to constrain access to files on the server, using (e.g) SSH chroots and access control mechanisms. This is left for the user to configure.

Passwordless login through empty passwords are allowed when the host matches 127.0.0.1, it makes no sense to restrict the access if the Qrexec call was already permitted.

Client

The SSH connection is available with the socket localhost:1840.

From the client, mount the server /home/user directory as a SSH File System in the client /home/user/sshfs directory:

mkdir ~/sshfs
sshfs -p 1840 localhost:/home/user /home/user/sshfs

Credits