1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 12:51:34 -05:00

Mention SSH Control

Signed-off-by: tommytran732 <contact@tommytran.io>
This commit is contained in:
tommytran732 2022-08-13 23:12:16 -04:00
parent 4a00b7ec5b
commit be8b5a7cff
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
2 changed files with 8 additions and 4 deletions

View File

@ -19,14 +19,18 @@ Note that if you already have a PGP key with a passphrase, you can remove it by
This part is based on the Qubes Community's [guide](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/split-ssh.md); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair. This part is based on the Qubes Community's [guide](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/split-ssh.md); however, I will deviate from it to use the PGP keys for SSH instead of generating a new key pair.
In `dom0`: ### In `dom0`
- Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys ar not passphrase protected, you should **not** set the policy to allow. - Create `/etc/qubes-rpc/policy/qubes.SshAgent` with `@anyvm @anyvm ask,default_target=vault` as the content. Since the keys ar not passphrase protected, you should **not** set the policy to allow.
In `vault` AppVM: ### In `vault` AppVM:
- Add `enable-ssh-support` to the end of `~/.gnupg/gpg-agent.conf` - Add `enable-ssh-support` to the end of `~/.gnupg/gpg-agent.conf`
- Get your keygrip with `gpg --with-keygrip -k`
- Add your keygrip to the end of `~/.gnupg/sshconrol`
In `vault`'s TemplateVM: ~[PGP Keygrip](/images/keygrip.png)
### In `vault`'s TemplateVM:
- Create `/etc/qubes-rpc/qubes.SshAgent` with the following content: - Create `/etc/qubes-rpc/qubes.SshAgent` with the following content:
```bash ```bash
@ -48,7 +52,7 @@ socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
- Make it executable with `sudo chmod +x /etc/qubes-rpc/qubes.SshAgent` - Make it executable with `sudo chmod +x /etc/qubes-rpc/qubes.SshAgent`
- Turn off the templateVM. If the `vault` VM is running, turn it off, then start it to update the VM's configuration. - Turn off the templateVM. If the `vault` VM is running, turn it off, then start it to update the VM's configuration.
In `ssh-client` AppVM: ### In `ssh-client` AppVM:
- Add the following to the end of `/rw/config/rc.local`: - Add the following to the end of `/rw/config/rc.local`:
```bash ```bash

BIN
static/images/keygrip.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB