From 2b005faa0ca65078b91008f2973fdf89556bf856 Mon Sep 17 00:00:00 2001 From: "Manuel Amador (Rudd-O)" Date: Tue, 11 Oct 2016 20:35:05 +0000 Subject: [PATCH] enhanced remoting instructions --- README.md | 63 ++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index dbe249b..f9856ac 100644 --- a/README.md +++ b/README.md @@ -32,8 +32,7 @@ in the following combinations: * Qubes VM -> Qubes VM * Qubes VM -> Qubes `dom0` (see below for enablement instructions) * Qubes `dom0` -> Qubes VM -* Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below for - enablement instructions) +* Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below) * normal desktop Linux -> network (SSH) -> Qubes VM on another Qubes host What this means for you is quite simple. With this toolkit, you can completely @@ -89,26 +88,8 @@ sure its contents say `/bin/bash`. That's it -- `bombshell-client` should work against dom0 now. -Enabling bombshell-client access to VMs in other machines ---------------------------------------------------------- - -Do this at your own risk. On the other machine: - -* Ensure that Qubes OS instance has at least one `domU` VM running SSH, which - we will call the *target VM*. -* Ensure the SSH server on that VM is is accessible via the network from the - *source VM* (which runs `bombshell-client`). This includes any firewall - and forwarding rules, etc. -* Ensure the target VM's SSH server lets your source VM log in passwordlessly - (pubkey auth). -* Ensure the policy file in the other machine's `dom0` (the file is located at - `/etc/qubes-rpc/policy/qubes.VMShell`) allows the target VM (the one - with the SSH server) to execute `qubes.VMShell` without prompting (otherwise - you will have to physically walk over to the other machine and authorize - each execution by hand). - -How to use the connection technology with automation tools like Ansible and SaltStack -------------------------------------------------------------------------------------- +How to use the connection technology with automation tools like Ansible +----------------------------------------------------------------------- You integrate it into your Ansible setup by: @@ -130,6 +111,7 @@ workvm ansible_connection=qubes # The next line has a parameter which indicates to Ansible to first # connect to the domU SSH at 1.2.3.4 before attempting to use # bombshell-client to manage other VMs on the same system. +# See below for instructions to enable remoting. vmonremotehost ansible_connection=qubes management_proxy=1.2.3.4 ``` @@ -141,6 +123,43 @@ managing, unless you set said permission to default to yes (the pertinent file to edit is in the `dom0` of the target Qubes OS machine, path `/etc/qubes-rpc/policy/qubes.VMShell`). +Enabling bombshell-client remote access to VMs in other machines +---------------------------------------------------------------- + +Do this at your own risk. On the other machine: + +* Ensure that Qubes OS instance has at least one `domU` VM running SSH, which + we will call the *target VM*. It's usually best to use a StandaloneVM for + the purpose. +* Enable remote network access to that VM by using + [Qubes network server](https://github.com/Rudd-O/qubes-network-server). + Set the necessary firewall rules on the VM to permit SSH connections from + the source VM. +* Ensure the target VM's SSH server lets your source VM log in passwordlessly + (pubkey auth). +* Ensure the policy file in the other machine's `dom0` (the file is located at + `/etc/qubes-rpc/policy/qubes.VMShell`) allows the target VM (the one + with the SSH server) to execute `qubes.VMShell` without prompting (otherwise + you will have to physically walk over to the other machine and authorize + each execution by hand). Usually a line `targetvm $anyvm allow` suffices. + +After declaring in your Ansible `hosts` file the VMs on the other machine that +you want to manage, add the following host attribute to each one. + +``` +vmonremotehost ansible_connection=qubes management_proxy= +``` + +That's it. Running `ansible vmonremotehost -m shell -a whoami` should provide +you with a crisp visual of the results of `whoami` on the VM `vmonremotehost`. + +The `management_proxy` variable tells the Ansible Qubes connection plugin +to first bridge the connection via SSH over to the target VM, and to then +execute `bombshell-client` to gain access to `vmonremotehost`. + +How to use the connection technology with Ansible +------------------------------------------------- + You can also integrate this plugin with SaltStack's `salt-ssh` program, by: 1. placing the `bombshell-client`, `qrun` and `qssh` commands