The release is signed withC100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16.

⚠️ Breaking Changes⚠️

ssh-tpm-agent won't useSSH_AUTH_SOCK as the default socket environment
variable anymore. Asssh-tpm-agent support proxy features and intended to be
run along side an existingssh-agent this does not make much sense anymore.

InsteadSSH_TPM_AUTH_SOCK is the new standard environment variable.

agent: Don't overwrite SSH_AUTH_SOCK socket

Changes

Support forrsa-sha2-512

Previouslyssh-tpm-agent did not supportsha512. This is annoying as in many
casesssh is going to try and opt forsha512 when dealing with RSA keys. As
most TPMs do not support SHA512, a hack was implemented using the raw
TPM2_Decrypt call to implement support for other hash algorithms.

See upstreamgo-tpm-keyfiles project commit:
tpm: support RSA signing with SHA512

As a bonus:
ssh-keygen -Y sign did not support setting thehashalg with-O. I sent a
patch to fix that, so you can useRSA keys withSHA256 for signatures if
needed.
upstream: when using RSA keys to sign messages, select the signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx").

New Features

MANPAGES!

We now have manpages!

• ssh-tpm-agent(1)
• ssh-tpm-keygen(1)
• ssh-tpm-add(1)
• ssh-tpm-hostkeys(1)

Typos may follow.

Implement man pages

Hierarchy keys

ssh-tpm-agent is now capable of preloading hierarchy keys into the agent.
These keys are not the usual keys and persist across installs and system
reboots.

The TPMs have several hierarchies you can create keys under. Theowner
hierarchy should be unique for each owner of a given device. Theendorsement
hierarchy should be unique for the lifetime of the device, andnull should be
unique for the current device power cycle.

ssh-tpm-agent --hierarchy endorsement will now start the agent with two keys,
oneecdsa key and onersa keys which is bound to the endorsement hierarchy
of the device.This is useful for host keys as they can persist between
installations of the operating system and ephemeral root disks.

To create the public portions of the host keys you can used
ssh-tpm-keygen -A --hierarchy endorsement

Implement hierarchy keys #87

keyctl support for PIN caching

In previous releases passwords/pins for keys where stored along side the key in
the memory. Now these values are passed to the kernel keyring for storage and
only stored in memory while it is used. After use there is an attemt at using
mmap to clear the memory.

This ensures that only thessh-tpm-agent process can access these secrets.

Note thehuge caveat that this is Go, and any handling of the secretsbefore
we pass them tokeyctl might be leakable in a crash drump etc. I have a goal
of trying to improve this in the future.

Implement kernel keyctl support

Initial support for landlock

ssh-tpm-agent now has some baseline support forlandlock
sandboxing of the processes. This is disabled by default but can be enabled by
setting theSSH_TPM_LANDLOCK environment variable.

If you run a distro with different requirements, please help test this feature
as I would like to turn it on by default in the future.

Note thatssh-tpm-keygen does not support landlock yet.

Initial support for landlock

Support signing with SSH certificates

ssh-tpm-agent supports signing with SSH certificates now.

Implement signing using SSH certificates

Better support forssh-add inssh-tpm-agent

ssh-add will now attempt to also include the certificate if found alongside
the ssh key.

agent: ensure we load certificates if found

#Generated list of changes

What's Changed

• fix add ssh certificate with existing key by@gartnera in#67
• Fix build with go 1.23 by@gartnera in#68
• agent: Don't overwrite SSH_AUTH_SOCK socket by@mkj in#70
• Feat: Add seahorse ssh-askpass to search list by@0siriz in#71
• Implement signing using SSH certificates by@Foxboron in#82
• Implement man pages by@Foxboron in#76
• Implement kernel keyctl support by@Foxboron in#84
• Implement hierarchy keys by@Foxboron in#87
• Initial support for landlock by@Foxboron in#88

New Contributors

• @gartnera made their first contribution in#67
• @mkj made their first contribution in#70
• @0siriz made their first contribution in#71

Full Changelog:v0.7.0...v0.8.0

Contributors