enhanced remoting instructions

README.md

@@ -32,8 +32,7 @@ in the following combinations:
 * Qubes VM -> Qubes VM
 * Qubes VM -> Qubes `dom0` (see below for enablement instructions)
 * Qubes `dom0` -> Qubes VM
-* Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below for
-   enablement instructions)
+* Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below)
 * normal desktop Linux -> network (SSH) -> Qubes VM on another Qubes host
 
 What this means for you is quite simple.  With this toolkit, you can completely
@@ -89,26 +88,8 @@ sure its contents say `/bin/bash`.
 
 That's it -- `bombshell-client` should work against dom0 now.
 
-Enabling bombshell-client access to VMs in other machines
----------------------------------------------------------
-
-Do this at your own risk.  On the other machine:
-
-* Ensure that Qubes OS instance has at least one `domU` VM running SSH, which
-   we will call the *target VM*.
-* Ensure the SSH server on that VM is is accessible via the network from the
-   *source VM* (which runs `bombshell-client`).  This includes any firewall
-   and forwarding rules, etc.
-* Ensure the target VM's SSH server lets your source VM log in passwordlessly
-   (pubkey auth).
-* Ensure the policy file in the other machine's `dom0` (the file is located at
-   `/etc/qubes-rpc/policy/qubes.VMShell`) allows  the target VM (the one
-   with the SSH server) to execute `qubes.VMShell` without prompting (otherwise
-   you will have to physically walk over to the other machine and authorize
-   each execution by hand).
-
-How to use the connection technology with automation tools like Ansible and SaltStack
--------------------------------------------------------------------------------------
+How to use the connection technology with automation tools like Ansible
+-----------------------------------------------------------------------
 
 You integrate it into your Ansible setup by:
 
@@ -130,6 +111,7 @@ workvm          ansible_connection=qubes
 # The next line has a parameter which indicates to Ansible to first
 # connect to the domU SSH at 1.2.3.4 before attempting to use
 # bombshell-client to manage other VMs on the same system.
+# See below for instructions to enable remoting.
 vmonremotehost  ansible_connection=qubes management_proxy=1.2.3.4
 ```
 
@@ -141,6 +123,43 @@ managing, unless you set said permission to default to yes (the pertinent
 file to edit is in the `dom0` of the target Qubes OS machine, path
 `/etc/qubes-rpc/policy/qubes.VMShell`).
 
+Enabling bombshell-client remote access to VMs in other machines
+----------------------------------------------------------------
+
+Do this at your own risk.  On the other machine:
+
+* Ensure that Qubes OS instance has at least one `domU` VM running SSH, which
+  we will call the *target VM*.  It's usually best to use a StandaloneVM for
+  the purpose.
+* Enable remote network access to that VM by using
+  [Qubes network server](https://github.com/Rudd-O/qubes-network-server).
+  Set the necessary firewall rules on the VM to permit SSH connections from
+  the source VM.
+* Ensure the target VM's SSH server lets your source VM log in passwordlessly
+  (pubkey auth).
+* Ensure the policy file in the other machine's `dom0` (the file is located at
+  `/etc/qubes-rpc/policy/qubes.VMShell`) allows the target VM (the one
+  with the SSH server) to execute `qubes.VMShell` without prompting (otherwise
+  you will have to physically walk over to the other machine and authorize
+  each execution by hand).  Usually a line `targetvm $anyvm allow` suffices.
+
+After declaring in your Ansible `hosts` file the VMs on the other machine that
+you want to manage, add the following host attribute to each one.
+
+```
+vmonremotehost  ansible_connection=qubes management_proxy=<IP of domU running SSH>
+```
+
+That's it.  Running `ansible vmonremotehost -m shell -a whoami` should provide
+you with a crisp visual of the results of `whoami` on the VM `vmonremotehost`.
+
+The `management_proxy` variable tells the Ansible Qubes connection plugin
+to first bridge the connection via SSH over to the target VM, and to then
+execute `bombshell-client` to gain access to `vmonremotehost`.
+
+How to use the connection technology with Ansible
+-------------------------------------------------
+
 You can also integrate this plugin with SaltStack's `salt-ssh` program, by:
 
 1. placing the `bombshell-client`, `qrun` and `qssh` commands