Split-ssh with whonix as client & debian-minimal as vault revisions

Go back to topic: Split-ssh with whonix as client & debian-minimal as vault

  1. v5 anchor; v5 full version
  2. v4 anchor; v4 full version
  3. v3 anchor; v3 full version
  4. v2 anchor; v2 full version

Revision #5

Edited on
2025-05-26
Edited by user
Raphael
# print the following below print the following
# while you wait create a policy # while you wait open a terminal & create a policy

Revision #4

Edited on
2025-05-26
Edited by user
Raphael
# split-ssh setup end result will yield client: whonix-workstation - dispsvm vault: debian-12-minimal - appvm starting client vm will automatically prompt for vault vm choosing the vault cm will automatically start vault vm and prompt for password # before you start update or install & update debian-12-minimal & whonix-workstation-17 # create script
# the following instructions will install split-ssh # client-vm will be based off whonix-workstation-17 # client-vm is disposable # vault-vm will be based off debian-12-minimal # keys will be retrieved automatically with 2 prompts when starting disp client vm # update or install and update debian-12-minimal & whonix-workstation-17 # create script
# print the following below ``` # print the following below ```
qvm-prefs disp-ssh netvm sys-whonix # end print # # save & exit # # run qvm-prefs disp-ssh netvm sys-whonix ``` # save & exit # run the script ```
# # take a beer while everything is getting installed # # the next steps are what needs to be done manually # ``` # while you wait create a policy ```
```
```
# end print # ``` # save & exit # open a terminal ```
``` # generate key ```
# hit enter on the first prompt and enter a password on the second prompt ``` hit enter on the first prompt enter a password on the second prompt # copy the public key to the client vm ```
``` ```
# ``` # open a terminal ```
``` output the key in terminal ```
# copy the key and paste it to wherever is appropriate for you use ``` copy the key and paste it to wherever is appropriate # shutdown the qube ```
# ``` # now run the dispvm ```
# you will be prompted to select vault qube # you will be prompted to enter password ``` you will be prompted to select vault qube you will be prompted to enter the password this will be the only thing to do to retrieve the keys
```

Revision #3

Edited on
2025-05-26
Edited by user
parulin
```
xfce4-terminal: ssh user@ip.adressxfce4-terminal: ssh user@ip.adress ```

Revision #2

Edited on
2025-05-26
Edited by user
Raphael
# client-vm is disposable
# keys will be retrieved automatically with 2 prompts # keys will be retrieved automatically with 2 prompts when starting disp client vm
# dom0: nano ~/ssh-setup.sh dom0: nano ~/ssh-setup.sh
qvm-prefs disp-ssh netvm sys-whonix-obfs4 qvm-prefs disp-ssh netvm sys-whonix
# dom0: chmod 700 ~/ssh-setup.sh # dom0: ~/ssh-setup.sh dom0: chmod 700 ~/ssh-setup.sh dom0: ~/ssh-setup.sh
# dom0: nano /etc/qubes/policy.d/50-ssh.policy dom0: nano /etc/qubes/policy.d/50-ssh.policy
# qubes.SshAgent * disp-ssh @default ask default_target=> # qubes.SshAgent * disp-ssh app-ssh-keyring ask # qubes.SshAgent * @anyvm app-ssh-keyring deny qubes.SshAgent * disp-ssh @default ask default_target=> qubes.SshAgent * disp-ssh app-ssh-keyring ask qubes.SshAgent * @anyvm app-ssh-keyring deny
# dom0: qvm-run app-ssh-keyring xterm # xterm: ssh-keygen -t ed25519 -a 500 dom0: qvm-run app-ssh-keyring xterm xterm: ssh-keygen -t ed25519 -a 500
# xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub # xterm: exit xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub xterm: exit
# dom0: qvm-run disp-ssh xfce4-terminal # xfce4-terminal: cat /home/user/.ssh/id_ed25519.pub dom0: qvm-run disp-ssh xfce4-terminal xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub
# dom0: qvm-shutdown app-ssh-keyring disp-ssh dom0: qvm-shutdown app-ssh-keyring disp-ssh
# dom0: qvm-run disp-ssh xfce4-terminal dom0: qvm-run disp-ssh xfce4-terminal
# # xfce4-terminal: ssh user@ip.adress# example to establish connection xfce4-terminal: ssh user@ip.adress