Dealing with ssh

[lok...@gmail.com]

What is the best way to handle ssh in Qubes?

I have a set of machines I often log in to remotely, and I want to make sure the sessions (as well as the private keys) are protected from vulnerabilities in other applications.

Currently I have set of a dedicates ssh qube from which I run all my ssh sessions. I've also set its firewall to only allow access to the machines I normally connect to.

Is there a better way to handle this? Ideally, I'd like to be able to use dispvms for ssh, but how would I handle the private keys?

How do other people do this?

Regards,
Elias

[cooloutac]

I do it same as you, a seperate qube allowed only access to the server I ssh into. I use regular ssh command from terminal. You can save key or password in vault vm if you want and copy and paste it. But I don't bother cause I have it in .ssh folder anyways.

[cooloutac]

if you want to use the key in adispvm folder you can probably put it in the internal dvm.

[cooloutac]

I wouldn;t want to do this though cause iI use dispvm for untrusted tasks and wouldn't want key in there.

[Jean-Philippe Ouellet]

I have a dedicated minimal template used only for SSHing into remote
machines. Basically fedora-24-minimal template clone with only
openssh-client installed, and separate AppVMs based on that for
different groups of servers I log into from there with respective SSH
keys in each. This way if one machine compromised my template via e.g.
arcane terminal escapes or something, it shouldn't gain lateral access
to other machines belonging to different organizations that I also
have access to.