end result will yield client: whonix-workstation - dispsvm vault: debian-12-minimal - appvm starting client vm will automatically prompt for vault vm choosing the vault cm will automatically start vault vm and prompt for password
update or install & update debian-12-minimal & whonix-workstation-17
dom0: nano ~/ssh-setup.sh
#!/bin/sh
qvm-clone debian-12-minimal deb-12-mini-ssh-keyring
echo 'sudo apt-get -y install socat ssh-askpass-gnome libnotify-bin' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm deb-12-mini-ssh-keyring ~/ssh.sh
qvm-run -u root deb-12-mini-ssh-keyring /home/user/QubesIncoming/dom0/ssh.sh
echo '#
#!/bin/sh
notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' > ~/qubes.SshAgent
chmod 700 ~/qubes.SshAgent
qvm-move-to-vm deb-12-mini-ssh-keyring ~/qubes.SshAgent
qvm-run -u root deb-12-mini-ssh-keyring "sudo mv /home/user/QubesIncoming/dom0/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent"
qvm-run deb-12-mini-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown deb-12-mini-ssh-keyring
qvm-clone whonix-workstation-17 workstation-ssh
echo 'sudo apt-get -y install openssh-client' > ~/ssh.sh
chmod 700 ~/ssh.sh
qvm-move-to-vm workstation-ssh ~/ssh.sh
qvm-run workstation-ssh /home/user/QubesIncoming/dom0/ssh.sh
echo '#
SSH_VAULT_VM="app-ssh-keyring"
export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM
rm -f $SSH_AUTH_SOCK
umask 177 && socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &' > ~/90x11-common_ssh-agent
qvm-move-to-vm workstation-ssh ~/90x11-common_ssh-agent
qvm-run workstation-ssh "sudo mv /home/user/QubesIncoming/dom0/90x11-common_ssh-agent /etc/X11/Xsession.d/90x11-common_ssh-agent"
qvm-run workstation-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-ssh
qvm-create -C AppVM -l blue -t deb-12-mini-ssh-keyring app-ssh-keyring
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -c
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm app-ssh-keyring ~/ssh-add.desktop
qvm-run app-ssh-keyring "mkdir -p /home/user/.config/autostart"
qvm-run app-ssh-keyring "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run app-ssh-keyring "rm -r /home/user/QubesIncoming"
qvm-shutdown app-ssh-keyring
qvm-create -C AppVM -l yellow -t workstation-ssh workstation-dvm-ssh
qvm-prefs workstation-dvm-ssh template_for_dispvms true
qvm-prefs workstation-dvm-ssh netvm none
echo '#
[Desktop Entry]
Name=ssh-add
Exec=ssh-add -L
Type=Application' > ~/ssh-add.desktop
qvm-move-to-vm workstation-dvm-ssh ~/ssh-add.desktop
qvm-run workstation-dvm-ssh "mkdir -p /home/user/.config/autostart"
qvm-run workstation-dvm-ssh "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop"
qvm-run workstation-dvm-ssh "rm -r /home/user/QubesIncoming"
qvm-shutdown workstation-dvm-ssh
qvm-create -C DispVM -l orange -t workstation-dvm-ssh disp-ssh
qvm-prefs disp-ssh netvm sys-whonix
dom0: chmod 700 ~/ssh-setup.sh
dom0: ~/ssh-setup.sh
dom0: nano /etc/qubes/policy.d/50-ssh.policy
qubes.SshAgent * disp-ssh @default ask default_target=>
qubes.SshAgent * disp-ssh app-ssh-keyring ask
qubes.SshAgent * @anyvm app-ssh-keyring deny
dom0: qvm-run app-ssh-keyring xterm
xterm: ssh-keygen -t ed25519 -a 500
xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub
xterm: exit
dom0: qvm-run disp-ssh xfce4-terminal
xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub
dom0: qvm-shutdown app-ssh-keyring disp-ssh
dom0: qvm-run disp-ssh xfce4-terminal
xfce4-terminal: ssh user@ip.adress