shaker/qubes-ssh-agent.spec

68 lines
2.3 KiB
RPMSpec
Raw Normal View History

Name: 3isec-qubes-sys-ssh-agent
Version: 1.3
Release: 2%{?dist}
2022-07-30 08:05:19 -04:00
Summary: Create a service qube to hold ssh-agents
License: GPLv3+
SOURCE0: qubes-ssh-agent
%description
2022-07-30 08:05:19 -04:00
This package sets up a qube called sys-ssh-agent, to hold ssh keys.
It is ideal for use cases where you have a number of key pairs, which
are used by different qubes.
The keypairs are stored in the offline sys-ssh-agent server, and requests
are passed from clients to the server via qrexec.
Clients may access the same ssh-agent, or access different agents.
Access is controlled via dom0 policy file, /etc/qubes/policy.d/30-user.policy
The client does not know the identity of the ssh-agent server, nor are
keys kept in memory in the client.
All configuration of keys, and unlocking of keys, where they are password
protected, is done in the ssh-agent server, using standard ssh-agent
controls.
Keys can be selectively allocated to different ssh-agents.
You can create multiple ssh-agents holding different combination of ssh keys.
This allow you to access different key sets from different qubes.
By default an ssh-agent called "work" is provided in sys-ssh-agent.
Helper scripts are provided to create new ssh-agents.
You can create other qubes to hold other ssh-agents if you want, for
maximum compartmentalisation.
Simply clone sys-ssh-agent and edit the ssh-agents.
Removing this package will NOT delete the qubes, but will remove the
entry in /etc/qubes/policy.d/50-
2022-07-30 08:05:19 -04:00
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/srv/salt
cp -rv %{SOURCE0}/ %{buildroot}/srv/salt
%files
%defattr(-,root,root,-)
/srv/salt/qubes-ssh-agent/*
%post
if [ $1 -eq 1 ]; then
qubesctl state.apply qubes-ssh-agent.create
2022-06-06 08:18:41 -04:00
qubesctl --skip-dom0 --targets=template-ssh-agent state.apply qubes-ssh-agent.configure_template
qubesctl --skip-dom0 --targets=sys-ssh-agent state.apply qubes-ssh-agent.configure
fi
%postun
if [ $1 -eq 0 ]; then
sed -i /qubes.SshAgent/d /etc/qubes/policy.d/50-config-splitssh.policy
fi
%changelog
* Wed Jun 12 2024 unman <unman@thirdeyesecurity.org> - 1.3
- Upgrade template to debian-12-minimal
2023-02-21 08:52:35 -05:00
* Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.2
- Use pillar for cacher to determine repo changes
2022-06-06 08:18:41 -04:00
* Mon Jun 06 2022 unman <unman@thirdeyesecurity.org> - 1.1
- Update post scripts
* Sun May 22 2022 unman <unman@thirdeyesecurity.org> - 1.0
- First Build