the following instructions will install split-ssh

client-vm will be based off whonix-workstation-17

client-vm is disposable

vault-vm will be based off debian-12-minimal

keys will be retrieved automatically with 2 prompts when starting disp client vm

update or install and update debian-12-minimal & whonix-workstation-17

create script

dom0: nano ~/ssh-setup.sh

print the following below

!/bin/sh

qvm-clone debian-12-minimal deb-12-mini-ssh-keyring echo 'sudo apt-get -y install socat ssh-askpass-gnome libnotify-bin' > ~/ssh.sh chmod 700 ~/ssh.sh qvm-move-to-vm deb-12-mini-ssh-keyring ~/ssh.sh qvm-run -u root deb-12-mini-ssh-keyring /home/user/QubesIncoming/dom0/ssh.sh echo '#

!/bin/sh

notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN" socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"' > ~/qubes.SshAgent chmod 700 ~/qubes.SshAgent qvm-move-to-vm deb-12-mini-ssh-keyring ~/qubes.SshAgent qvm-run -u root deb-12-mini-ssh-keyring "sudo mv /home/user/QubesIncoming/dom0/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent" qvm-run deb-12-mini-ssh-keyring "rm -r /home/user/QubesIncoming" qvm-shutdown deb-12-mini-ssh-keyring

qvm-clone whonix-workstation-17 workstation-ssh echo 'sudo apt-get -y install openssh-client' > ~/ssh.sh chmod 700 ~/ssh.sh qvm-move-to-vm workstation-ssh ~/ssh.sh qvm-run workstation-ssh /home/user/QubesIncoming/dom0/ssh.sh echo '# SSH_VAULT_VM="app-ssh-keyring" export SSH_AUTH_SOCK=/tmp/ssh-agent-$SSH_VAULT_VM rm -f $SSH_AUTH_SOCK umask 177 && socat "UNIX-LISTEN:$SSH_AUTH_SOCK,fork" "EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &' > ~/90x11-common_ssh-agent qvm-move-to-vm workstation-ssh ~/90x11-common_ssh-agent qvm-run workstation-ssh "sudo mv /home/user/QubesIncoming/dom0/90x11-common_ssh-agent /etc/X11/Xsession.d/90x11-common_ssh-agent" qvm-run workstation-ssh "rm -r /home/user/QubesIncoming" qvm-shutdown workstation-ssh

qvm-create -C AppVM -l blue -t deb-12-mini-ssh-keyring app-ssh-keyring echo '# [Desktop Entry] Name=ssh-add Exec=ssh-add -c Type=Application' > ~/ssh-add.desktop qvm-move-to-vm app-ssh-keyring ~/ssh-add.desktop qvm-run app-ssh-keyring "mkdir -p /home/user/.config/autostart" qvm-run app-ssh-keyring "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop" qvm-run app-ssh-keyring "rm -r /home/user/QubesIncoming" qvm-shutdown app-ssh-keyring

qvm-create -C AppVM -l yellow -t workstation-ssh workstation-dvm-ssh qvm-prefs workstation-dvm-ssh template_for_dispvms true qvm-prefs workstation-dvm-ssh netvm none echo '# [Desktop Entry] Name=ssh-add Exec=ssh-add -L Type=Application' > ~/ssh-add.desktop qvm-move-to-vm workstation-dvm-ssh ~/ssh-add.desktop qvm-run workstation-dvm-ssh "mkdir -p /home/user/.config/autostart" qvm-run workstation-dvm-ssh "mv /home/user/QubesIncoming/dom0/ssh-add.desktop /home/user/.config/autostart/ssh-add.desktop" qvm-run workstation-dvm-ssh "rm -r /home/user/QubesIncoming" qvm-shutdown workstation-dvm-ssh

qvm-create -C DispVM -l orange -t workstation-dvm-ssh disp-ssh qvm-prefs disp-ssh netvm sys-whonix

end print

save & exit

run

dom0: chmod 700 ~/ssh-setup.sh dom0: ~/ssh-setup.sh

take a beer while everything is getting installed

the next steps are what needs to be done manually

dom0: nano /etc/qubes/policy.d/50-ssh.policy

print

qubes.SshAgent * disp-ssh @default ask default_target=> qubes.SshAgent * disp-ssh app-ssh-keyring ask qubes.SshAgent * @anyvm app-ssh-keyring deny

end print

dom0: qvm-run app-ssh-keyring xterm xterm: ssh-keygen -t ed25519 -a 500

hit enter on the first prompt and enter a password on the second prompt

xterm: qvm-copy-to-vm disp-ssh /home/user/.ssh/id_ed25519.pub xterm: exit

dom0: qvm-run disp-ssh xfce4-terminal xfce4-terminal: cat /home/user/QubesIncoming/app-ssh-keyring/id_ed25519.pub

copy the key and paste it to wherever is appropriate for you use

dom0: qvm-shutdown app-ssh-keyring disp-ssh

dom0: qvm-run disp-ssh xfce4-terminal

you will be prompted to select vault qube

you will be prompted to enter password

example to establish connection

xfce4-terminal: ssh user@ip.adress