add the ability to set an 'autoaccept' window to avoid constant re-prompts#5
add the ability to set an 'autoaccept' window to avoid constant re-prompts#5mig5 wants to merge 5 commits intohenn:masterfrom
Conversation
…ompts if client VM policy is set to 'allow' in dom0, similar to QUBES_GPG_AUTO_ACCEPT in Split-GPG
…ther than on the ssh vault, so that it may differ per client
|
I worked out how to send args from the client side properly (suffix +$ARGS, which is interpreted as $QREXEC_SERVICE_ARGUMENT on the server side. So now this is much more useful: no hardcoding of the $QUBES_SSH_AGENT_AUTOACCEPT in the vault, it is sent from the client (if at all), meaning that different client VMs can set different autoaccept windows. The default remains: no autoaccept at all, but settable in the /rw/config/rc.local along with the name of the vault. And obviously autoaccept is only worthwhile if you've set the policy to 'allow' for that client VM in the dom0, or you'll get 2 prompts. So it works like Split GPG in that respect. |
…mp variable inside the conditional since that's where it's used
|
beware, qrexec policies only have one arg, and the arg can only be easily used for one thing. if this is what you want to use it for, then it can not be easily used for other things later (like to identify the key fingerprint or so) without breaking backwards compat |
2 participants
This is more of a proof-of-concept that suits my needs, but it may interest others
This change adds the ability to set QUBES_SSH_AGENT_AUTOACCEPT in the vault's /etc/qubes-rpc/qubes.SshAgent file.
If this is set, the user will be prompted to 'allow' access for that number of seconds . If they have not connected to the agent (e.g made an SSH request) in more than that number of seconds, they get prompted again.
This allows you to set the client VM to 'always' in the /etc/qubes-rpc/policy/qubes.SshAgent on the dom0, but still get occasional re-prompts - just not every single time (I make a lot of SSH requests!).
In other words this is similar to the QUBES_GPG_AUTO_ACCEPT variable in Split-GPG to avoid constant prompting.
The only downside, though, is that this is currently set on the vault (server) side, which means it is not configurable per client VM. I experimented with the 'local command' part of qrexec-client-vm and was able to send client-side variables that were read by the vault, but I couldn't then get the rest of the ncat functionality to work as expected due to the change in stdout.
I think to allow different autoaccepts per client would mean writing a more sophisticated set of scripts/services like Split GPG. Hence it's a PoC as it's probably not going to work for everyone. On the other hand, it's disabled by default, so maybe it's OK to merge in just for people who need it.