RPC Credentials Vault Qube - Remote Procedure Credentials Call Vault Virtual Machine (VM/Qube)

Original forum link
https://forum.qubes-os.org/t/22252
Original poster
immeƫmosol
Created at
2023-11-24 16:30:04
Posts count
1
Likes count
1
Tags
security

Vault qube w/ Credentials RPC service (credentials-vault)

dom0 / policy-qube/-vm

service.Credentials policy

Using latest/current/newer policy-format/-location:

<<'EOF' cat | >/dev/null sudo tee /etc/qubes/policy.d/30-user-service-Credentials.policy
# service , arg , source , target , action-params .
service.Credentials +PassInput @anyvm @anyvm allow target=credentials-vault
service.Credentials +SockInput @anyvm @anyvm allow target=credentials-vault
EOF

credentials-vault

service name-/argument-based "proxy"

requires notify-send might require socat

<<'EOF' cat | >/dev/null sudo tee /etc/qubes-rpc/service.Credentials
#!/bin/sh

# callable from vm's that need cleartext credentials

# required clear-text-credentials-service-name
credentialsSubject="${1?}"

{
    : # "safeguard" - Send notification bubble (from VM) for each request
    vaultName="$( qubesdb-read /name )"
    from="${QREXEC_REMOTE_DOMAIN?}"
    notify-send "[${vaultName?}] Credentials request from: ${from?}"
    unset vaultName
    unset from
}



if test "is${credentialsSubject?}" == "isPassInput"
then
    : # callable through: qrexec-client-vm wrk-b-vault service.Credentials+PassInput
    /home/user/output_credentials.sh
elif test "is" == "isSockInput"
then
    : # callable through: qrexec-client-vm wrk-b-vault service.Credentials+SockInput
    socat - 'UNIX-CONNECT:/home/user/creds.sock'
    # socket could be created with:
    # socat 'UNIX-LISTEN:/home/user/creds.sock,fork' 'EXEC: printf "credential\nstuff" '
    # socat 'UNIX-LISTEN:/home/user/creds.sock,fork' 'EXEC: /home/user/output_credentials.sh '
fi
EOF

service example totp

requires oathtool, zenity

<<'EOF' cat | >/dev/null sudo tee /home/user/output_credentials.sh

    # asking for seed befor password, because
    # return is pipe (`|`) separated & seed should be free of that character .
    seed="$(
        DISPLAY=:0 zenity \
            --title "One Time Password Seed" \
            --text "Token" \
            --entry \
        ;
    )"
    timeBasedOneTimePassword="$( oathtool --totp --base32 "${seed?}" )"
    unset seed
    printf '%s' "${timeBasedOneTimePassword?}"
    unset timeBasedOneTimePassword

service example password + totp

requires oathtool, zenity

<<'EOF' cat | >/dev/null sudo tee /home/user/output_credentials.sh

    # asking for seed befor password, because
    # return is pipe (`|`) separated & seed should be free of that character .
    input="$(
        DISPLAY=:0 zenity --forms \
            --title "Creds" \
            --text "Input Credentials" \
            --add-entry "One Time Password Seed" \
            --add-entry "Password" \
        ;
    )"
    seed="${input%%|*}"
    password="${input#*|}"
    unset input
    timeBasedOneTimePassword="$( oathtool --totp --base32 "${seed?}" )"
    #>&2 printf "Password: %s\nTime Based One Time Password (TOTP): %s\nSeed used for TOTP: %s" "${password?}" "${timeBasedOneTimePassword?}" "${seed?}"
    unset seed
    printf '%s%s' "${password?}" "${timeBasedOneTimePassword?}"
    unset timeBasedOneTimePassword
    unset password

requirements check/set

#aka trusted software/externals

cmds_install='sudo apt install --yes'
# debian

cmds_install='sudo dnf install --assume-yes'
# fedora

${cmds_install?} \
   oathtool \
   socat \
   zenity \
;
# debian & fedora package names are the same #afaik
# package names listed on new lines to allow for vim to :'<,'>sort

(
    >/dev/null 2>&1 type notify-send ||
    {
        >&2 prinf 'Missing required notify-send.'
        exit 1
    }
)