henn · mig5 · May 17, 2017 · May 17, 2017 · May 17, 2017 · May 17, 2017
diff --git a/qubes.SshAgent b/qubes.SshAgent
@@ -1,3 +1,44 @@
 #!/bin/sh
 
+if [ ! -z $QREXEC_SERVICE_ARGUMENT ]; then
+  QUBES_SSH_AGENT_AUTOACCEPT=$QREXEC_SERVICE_ARGUMENT
+
+  # Current time
+  NOW=$(date +"%s")
+
+  # Make a run dir
+  sudo mkdir -p /var/run/qubes-ssh-agent
+  sudo chown user:user /var/run/qubes-ssh-agent
+
+  # Touch a stat file
+  touch /var/run/qubes-ssh-agent/${QREXEC_REMOTE_DOMAIN}.stat
+
+  # Last time we connected to the agent?
+  read LASTTIMESTAMP < /var/run/qubes-ssh-agent/${QREXEC_REMOTE_DOMAIN}.stat
+  if [ $? -eq 1 ]; then
+   LASTTIMESTAMP=$(($QUBES_SSH_AGENT_AUTOACCEPT +1 ))
+  fi
+
+  # Compare the two timestamps
+  TIMEDIFF=$(( $NOW - $LASTTIMESTAMP ))
+
+  # If it's been too long, prompt the user
+  if [ $TIMEDIFF -gt $QUBES_SSH_AGENT_AUTOACCEPT ]; then
+    zenity --question --text "Do you wish to allow $QREXEC_REMOTE_DOMAIN to access your SSH agent \
+(now and for the following $QUBES_SSH_AGENT_AUTOACCEPT seconds)?"
+
+    case $? in
+      0) 
+        echo $NOW > /var/run/qubes-ssh-agent/${QREXEC_REMOTE_DOMAIN}.stat
+        ;; 
+      *)
+        exit 1
+        ;; 
+    esac
+  # Otherwise, proceed as normal
+  else
+    echo $NOW > /var/run/qubes-ssh-agent/${QREXEC_REMOTE_DOMAIN}.stat
+  fi
+fi
+
 ncat -U $SSH_AUTH_SOCK
diff --git a/rc.local_client b/rc.local_client
@@ -1,9 +1,16 @@
 # Uncomment next line to enable ssh agent forwarding to the named VM
 SSH_VAULT_VM="ssh-vault"
+# If you wish to set your client VM's policy to 'allow', you can still
+# be prompted at intervals to approve the connection to SSH agent by
+# setting a value below (like QUBES_GPG_AUTOACCEPT in Split GPG)
+#QUBES_SSH_AGENT_AUTOACCEPT=600
 
 if [ "$SSH_VAULT_VM" != "" ]; then
 	export SSH_SOCK=/tmp/.SSH_AGENT_$SSH_VAULT_VM
 	rm -f "$SSH_SOCK"
-	sudo -u user ncat -k -l -U "$SSH_SOCK" -c "qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &
+	if [ -z $QUBES_SSH_AGENT_AUTOACCEPT ]; then
+		sudo -u user ncat -k -l -U "$SSH_SOCK" -c "qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent" &
+	else
+		sudo -u user ncat -k -l -U "$SSH_SOCK" -c "qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent+$QUBES_SSH_AGENT_AUTOACCEPT" &
+	fi
 fi
-