Commit 24ede49f authored by Clark's avatar Clark
Browse files

Updating split SSH section with user details

parent 5b369498
......@@ -62,7 +62,6 @@ sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
#+END_SRC
* TODO Qubes VM architecture
#+begin_src plantuml :file img/Qubes-VM-architecture.svg
......@@ -130,6 +129,7 @@ rectangle << System >> {
entity dom0 {
{static} NetVM <none>
{field} qubes-rpc/policy qubes.SshAgent
}
entity "default-mgmt-dvm" as default_mgmt_dvm {
......@@ -177,9 +177,11 @@ rectangle << UserSpace >> {
class "bytecache-dev" as bytecache_dev {
{static} TemplateVM <deb10-ws>
{static} NetVM <sys-vpn>
{field} SSH_VAULT_VM bytecache-ssh-vault
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#rust Rust]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#python-3 Python3]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "bytecache-email" as bytecache_email {
......@@ -187,19 +189,15 @@ class "bytecache-email" as bytecache_email {
{static} NetVM <sys-vpn>
{method} #Thunderbird
{method} #ProtonMail Bridge
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "bytecache-matrix" as bytecache_matrix {
class "bytecache-social" as bytecache_social {
{static} TemplateVM <deb10-social>
{static} NetVM <sys-vpn>
{method} #Element
}
class "bytecache-user" as bytecache_user {
{static} TemplateVM <who15-ws>
{static} NetVM <sys-whonix>
}
class "bytecache-gpg-vault" as bytecache_gpg_vault {
{static} TemplateVM < ??? >
{static} NetVM <none>
......@@ -225,6 +223,7 @@ enum "ubu18-ws-dvm" as ubuntu_ws_dvm {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#r R]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
enum "deb10-ws-dvm" as debian_ws_dvm {
......@@ -236,6 +235,7 @@ enum "deb10-ws-dvm" as debian_ws_dvm {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#r R]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
enum "fed30-dvm" as fedora_dvm {
......@@ -243,13 +243,24 @@ enum "fed30-dvm" as fedora_dvm {
{static} NetVM <sys-whonix>
}
class "public-social" as public_social {
{static} TemplateVM <deb10-social>
{static} NetVM <sys-whonix>
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} #Zoom
{method} #Discord
{method} #Element
{method} #Slack
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "untrusted" as untruster {
{static} TemplateVM <deb10-ws>
{static} NetVM <sys-whonix>
}
enum "who15-ws-dvm" as whonix_ws_dvm {
{static} TemplateVM <who15-ws>
enum "who15-dvm" as whonix_dvm {
{static} TemplateVM <whonix-ws-15>
{static} NetVM <sys-whonix>
}
......@@ -262,12 +273,14 @@ class "work-email" as work_email {
class "work-dev" as work_dev {
{static} TemplateVM <ubu18-ws>
{static} NetVM <sys-vpn>
{field} SSH_VAULT_VM work-ssh-vault
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#ethereum Ethereum]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#rust Rust]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#python-3 Python3]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "work-audit-gold-image" as work_audit_gold_image {
......@@ -279,6 +292,7 @@ class "work-audit-gold-image" as work_audit_gold_image {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#python-3 Python3]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "work-social" as work_social {
......@@ -287,6 +301,7 @@ class "work-social" as work_social {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
{method} #Zoom
{method} #Slack
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
class "work-gpg-vault" as work_gpg_vault {
......@@ -319,7 +334,7 @@ cloud << TemplateVMs >> {
rectangle << Debian >> {
interface "deb10" as debian
interface "debian-10" as debian
abstract "deb10-ws" as debian_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
......@@ -328,11 +343,13 @@ abstract "deb10-ws" as debian_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#r R]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
abstract "deb10-email" as debian_email {
{method} #ProtonMail Bridge
{method} #Thunderbird
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
abstract "deb10-social" as debian_social {
......@@ -340,13 +357,14 @@ abstract "deb10-social" as debian_social {
{method} #Slack
{method} #Element
{method} #Discord
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
}
rectangle << Ubuntu >> {
interface "ubu18" as ubuntu
interface "ubuntu-18" as ubuntu
abstract "ubu18-ws" as ubuntu_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#emacs Emacs]]
......@@ -356,6 +374,7 @@ abstract "ubu18-ws" as ubuntu_ws {
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#r R]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#gdb GDB]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#radare-2 Radare 2]]
{method} +[[https://blog.bytecache.io/Self-hosted/Workstation.html#libreoffice LibreOffice]]
}
}
......@@ -363,14 +382,14 @@ abstract "ubu18-ws" as ubuntu_ws {
rectangle Windows_Wrapper {
rectangle << Windows >> {
interface "win10" as windows
interface "winows-10" as windows
}
}
rectangle << Fedora >> {
interface "fed30" as fedora
interface "fedora-30" as fedora
abstract "fed30-ssh-vault" as fedora_ssh_vault {
{field} qubes-rpc qubes.SshAgent
......@@ -381,8 +400,8 @@ abstract "fed30-ssh-vault" as fedora_ssh_vault {
rectangle Whonix_Wrapper {
rectangle << Whonix >> {
interface "who15-gw" as whonix_gw
interface "who15-ws" as whonix_ws
interface "whonix-gw-15" as whonix_gw
interface "whonix-ws-15" as whonix_ws
}
}
......@@ -408,11 +427,10 @@ fedora <.. fedora_ssh_vault
ubuntu <.. ubuntu_ws
#+end_src
#+RESULTS[33a800a30314671a471e4aba25356bae9dabd5a4]:
#+RESULTS[84c02af19b5b3641f9f85abaedce28e45200de11]:
[[file:img/Qubes-VM-architecture.svg]]
* TODO Custom VMs
Creating custom virtual machines for QubesOS for Ubuntu and Windows.
......@@ -500,9 +518,9 @@ Verify the service status using =sudo systemctl status openvpn@local_profile= an
* TODO Setup Split SSH
In Qubes OS, ssh keypairs can be split between the =private key location= (an offline AppVM) and users (any other AppVM, such as a development VM).
In Qubes OS, ssh keypairs can be split between the =private key location= (an offline AppVM) and users (any other AppVM, such as a development VM). I have a separate /ssh-vault/ for each ssh keypair. In this section I demonstrate setting up split ssh for my ByteCache development VM, =bytecache-dev=.
First, clone the latest Fedora TemplateVM, naming it /fedora-30-ssh-vault/. Temporarily enable networking over =sys-whonix=. Start the TemplateVM, and run the following to install =ncat= and configure the ssh agent.
First, clone the latest Fedora TemplateVM, naming it /fed30-ssh-vault/. Temporarily enable networking over =sys-whonix=. Start the TemplateVM, and run the following to install =ncat= and configure the ssh agent.
#+BEGIN_SRC sh
sudo dnf install nmap-ncat -y && \
......@@ -512,9 +530,9 @@ notify-send "[`qubesdb-read /name`] SSH agent access from: $QREXEC_REMOTE_DOMAIN
ncat -U $SSH_AUTH_SOCK'
#+END_SRC
Then shutdown the TemplateVM and disable networking. Create a new AppVM named /ssh-vault/, using the /fedora-30-ssh-vault/ TemplateVM. This will be the =private key= VM, so be sure to *disable network access*.
Then shutdown the TemplateVM and disable networking. Create a new AppVM named /bytecache-ssh-vault/, using the /fed30-ssh-vault/ TemplateVM. This will be the =private key= VM, so be sure to *disable network access*.
On the =ssh-vault= AppVM, create an ssh-key, and update the config. Also add an autostart entry.
On the =bytecache-ssh-vault= AppVM, create an ssh-key, and update the config. Also add an autostart entry.
#+BEGIN_SRC sh
ssh-keygen -t ed25519 -C "sentry@bytecache.io" -f "$HOME"/.ssh/id_rsa -N '' && \
......@@ -533,17 +551,38 @@ Type=Application'
On =dom0=, add a policy for the ssh agent.
#+BEGIN_SRC sh
echo "$anyvm $anyvm ask" > /etc/qubes-rpc/policy/qubes.SshAgent
echo "bytecache-dev bytecache-ssh-vault ask" > /etc/qubes-rpc/policy/qubes.SshAgent
#+END_SRC
Now, on any AppVM which should have access to the ssh key as an agent (e.g., a development AppVM), perform the following steps.
Now from =bytecache-dev=, perform the following steps.
#+BEGIN_SRC sh
...
sudo bash -c 'cat <<EOT >> /rw/config/rc.local
# For split SSH
SSH_VAULT_VM="bytecache-ssh-vault"
if [ "\$SSH_VAULT_VM" != "" ]; then
export SSH_SOCK=/home/user/.SSH_AGENT_\$SSH_VAULT_VM
rm -f "\$SSH_SOCK"
sudo -u user /bin/sh -c "umask 177 && ncat -k -l -U '"'"'\$SSH_SOCK'"'"' -c '"'"'qrexec-client-vm \$SSH_VAULT_VM qubes.SshAgent'"'"' &"
fi
EOT' && \
sudo bash -c 'cat <<EOT >> ~/.bashrc
# For split SSH
SSH_VAULT_VM="bytecache-ssh-vault"
if [ "\$SSH_VAULT_VM" != "" ]; then
export SSH_AUTH_SOCK=~user/.SSH_AGENT_\$SSH_VAULT_VM
fi
EOT'
#+END_SRC
Then restart =bytecache-dev=.
* TODO TO MIGRATE: (Debian to Qubes VMs)
* TODO Install software
** TODO Wazuh Agent - Endpoint Security
Wazuh is an HIDS system, which is a fork of OSSEC built on the ELK stack. I'll install a Wazuh agent that I use to send data to a Wazuh server deployed elsewhere (e.g., on =10.0.0.2=).
......@@ -622,8 +661,16 @@ sudo apt install -y emacs elpa-evil twittering-mode graphviz elpa-rainbow-mode d
If the host is running =Ubuntu=, and emacs version is stuck at 25.x, run the following to install emacs26.
#+BEGIN_SRC sh
sudo add-apt-repository ppa:kelleyk/emacs && \
sudo apt update && sudo apt install emacs26
sudo add-apt-repository -y ppa:kelleyk/emacs && \
sudo apt update && sudo apt install -y emacs26
#+END_SRC
** LibreOffice
Install LibreOffice on Debian.
#+BEGIN_SRC sh
sudo apt install -y libreoffice
#+END_SRC
** Rust
......
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment