Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

💻 🔑 ssh-agent for TPMs

License

NotificationsYou must be signed in to change notification settings

TPMNexus/ssh-tpm-agent

 
 

Repository files navigation

ssh-tpm-agent is a ssh-agent compatible agent that allows keys to be createdby the Trusted Platform Module (TPM) for authentication towards ssh servers.

TPM sealed keys are private keys created inside the Trusted Platform Module(TPM) and sealed in.tpm suffixed files. They are bound to the hardware theyare produced on and can't be transferred to other machines.

This allows you to utilize a native client instead of having to side loadexisting PKCS11 libraries into the ssh-agent and/or ssh client.

The project usesTPM 2.0 Key Filesimplemented through thego-tpm-keyfiles project.

Features

  • A workingssh-agent.
  • Create shielded ssh keys on the TPM.
  • Creation of remotely wrapped SSH keys for import.
  • PIN support, dictionary attack protection from the TPM allows you to use low entropy PINs instead of passphrases.
  • TPM session encryption.
  • Proxy support towards otherssh-agent servers for fallbacks.

SWTPM support

Instead of utilizing the TPM directly, you can use--swtpm orexport SSH_TPM_AGENT_SWTPM=1 to create an identity backed byswtpm which will be stored under/var/tmp/ssh-tpm-agent.

Note thatswtpm provides no security properties and should only be used fortesting.

Installation

The simplest way of installing this plugin is by running the following:

go install github.com/foxboron/ssh-tpm-agent/cmd/...@latest

Alternatively download thepre-built binaries.

Usage

# Create key$ ssh-tpm-keygenGenerating a sealed public/private ecdsa key pair.Enter filein which to save the key (/home/fox/.ssh/id_ecdsa):Enter passphrase (emptyfor no passphrase):Enter same passphrase again:Your identification has been savedin /home/fox/.ssh/id_ecdsa.tpmYour public key has been savedin /home/fox/.ssh/id_ecdsa.pubThe key fingerprint is:SHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564The key's randomart image is the color of television, tuned to a dead channel.$ cat /home/fox/.ssh/id_ecdsa.pubecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTOsMXyjTc1wiQSKhRiNhKFsHJNLzLk2r4foXPLQYKR0tuXIBMTQuMmc7OiTgNMvIjMrcb9adgGdT3s+GkNi1g=# Using the socket$ ssh-tpm-agent -l /var/tmp/tpm.sock$ export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"$ ssh git@github.com

Note: Forssh-tpm-agent you can specify the TPM owner password using thecommand line flags-o or--owner-password, which are preferred.Alternatively, you can use the environment variableSSH_TPM_AGENT_OWNER_PASSWORD.

Import existing key

Useful if you want to back up the key to a remote secure storage while using the key day-to-day from the TPM.

# Create a key, or use an existing one$ ssh-keygen -t ecdsa -f id_ecdsaGenerating public/private ecdsa key pair.Enter passphrase (emptyfor no passphrase):Enter same passphrase again:Your identification has been savedin id_ecdsaYour public key has been savedin id_ecdsa.pubThe key fingerprint is:SHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvU fox@frameworkThe key's randomart image is:+---[ECDSA 256]---+|           .+=o..||           o. oo.||          o... .o||       . + ..  ..||        S .   . o||       o * . oo=*||        ..+.oo=+E||        .++o...o=||       .++++. .+ |+----[SHA256]-----+# Import the key$ ssh-tpm-keygen --import id_ecdsaSealing an existing public/private ecdsa key pair.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in id_ecdsa.tpmThe key fingerprint is:SHA256:bDn2EpX6XRX5ADXQSuTq+uUyia/eV3Z6MW+UtxjnXvUThe key's randomart image is the color of television, tuned to a dead channel.

Install user service

Socket activated services allow you to startssh-tpm-agent when it's needed by your system.

# Using the socket$ ssh-tpm-agent --install-user-unitsInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.socketInstalled /home/fox/.config/systemd/user/ssh-tpm-agent.serviceEnable with: systemctl --userenable --now ssh-tpm-agent.socket$ systemctl --userenable --now ssh-tpm-agent.socket$export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"$ ssh git@github.com

Proxy support

# Start the usual ssh-agent$eval$(ssh-agent)# Create a strong RSA key$ ssh-keygen -t rsa -b 4096 -f id_rsa -C ssh-agent...The key fingerprint is:SHA256:zLSeyU/6NKHGEvyZLA866S1jGqwdwdAxRFff8Z2N1i0 ssh-agent$ ssh-add id_rsaIdentity added: id_rsa (ssh-agent)# Print looonnggg key$ ssh-add -Lssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agent# Create key on the TPM$ ssh-tpm-keygen -C ssh-tpm-agentGenerating a sealed public/private ecdsa key pair.Enter filein which to save the key (/home/fox/.ssh/id_ecdsa):Enter passphrase (emptyfor no passphrase):Confirm passphrase:Your identification has been savedin /home/fox/.ssh/id_ecdsa.tpmYour public key has been savedin /home/fox/.ssh/id_ecdsa.pubThe key fingerprint is:SHA256:PoQyuzOpEBLqT+xtP0dnvyBVL6UQTiQeCWN/EXIxPOoThe key's randomart image is the color of television, tuned to a dead channel.# Start ssh-tpm-agent with a proxy socket$ ssh-tpm-agent -A "${SSH_AUTH_SOCK}" &$ export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"# ssh-tpm-agent is proxying the keys from ssh-agent$ ssh-add -Lssh-rsa AAAAB3NzaC1yc[...]8TWynQ== ssh-agentecdsa-sha2-nistp256 AAAAE2VjZHNhLXNo[...]q4whro= ssh-tpm-agent

ssh-tpm-add

$ ssh-tpm-agent --no-load&2023/08/12 13:40:50 Listening on /run/user/1000/ssh-tpm-agent.sock$export SSH_AUTH_SOCK="$(ssh-tpm-agent --print-socket)"$ ssh-add -LThe agent has no identities.$ ssh-tpm-add$HOME/.ssh/id_ecdsa.tpmIdentity added: /home/user/.ssh/id_ecdsa.tpm$ ssh-add -Lecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJCxqisGa9IUNh4Ik3kwihrDouxP7S5Oun2hnzTvFwktszaibJruKLJMxHqVYnNwKD9DegCNwUN1qXCI/UOwaSY=test

Create and Wrap private key for client machine on remote srver

On the client side create one a primary key under an hierarchy. This examplewill use the owner hierarchy with an SRK.

The output filesrk.pem needs to be transferred to the remote end whichcreates the key. This could be done as part of client provisioning.

$ tpm2_createprimary -C o -G ecc -g sha256 -c prim.ctx -a'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -f pem -o srk.pem

On the remote end we create a p256 ssh key, with no password, and wrap it withssh-tpm-keygen with thesrk.pem from the client side.

$ ssh-keygen -t ecdsa -b 256 -N"" -f ./ecdsa.key# OR with openssl$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out ecdsa.key# Wrap with ssh-tpm-keygen$ ssh-tpm-keygen --wrap-with srk.pub --wrap ecdsa.key -f wrapped_id_ecdsa

On the client side we can unwrapwrapped_id_ecdsa to a loadable key.

$ ssh-tpm-keygen --import ./wrapped_id_ecdsa.tpm -f id_ecdsa.tpm$ ssh-tpm-add id_ecdsa.tpm

ssh-tpm-hostkey

ssh-tpm-agent also supports storing host keys inside the TPM.

$ sudo ssh-tpm-keygen -A2023/09/03 17:03:08 INFO Generating new ECDSA host key2023/09/03 17:03:08 INFO Wrote /etc/ssh/ssh_tpm_host_ecdsa_key.tpm2023/09/03 17:03:08 INFO Generating new RSA host key2023/09/03 17:03:15 INFO Wrote /etc/ssh/ssh_tpm_host_rsa_key.tpm$ sudo ssh-tpm-hostkeys --install-system-unitsInstalled /usr/lib/systemd/system/ssh-tpm-agent.serviceInstalled /usr/lib/systemd/system/ssh-tpm-agent.socketInstalled /usr/lib/systemd/system/ssh-tpm-genkeys.serviceEnable with: systemctlenable --now ssh-tpm-agent.socket$ sudo ssh-tpm-hostkeys --install-sshd-configInstalled /etc/ssh/sshd_config.d/10-ssh-tpm-agent.confRestart sshd: systemd restart sshd$ systemctlenable --now ssh-tpm-agent.socket$ systemd restart sshd$ sudo ssh-tpm-hostkeysecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= root@frameworkssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAoMPsv5tEpTDFw34ltkF45dTHAPl4aLu6HigBkNnIzsuWqJxhjN6JK3vaV3eXBzy8/UJxo/R0Ml9/DRzFK8cccdIRT1KQtg8xIikRReZ0usdeqTC+wLpW/KQqgBLZ1PphRINxABWReqlnbtPVBfj6wKlCVNLEuTfzi1oAMj3KXOBDcTTB2UBLcwvTFg6YnbTjrpxY83Y+3QIZNPwYqd7r6k+e/ncUl4zgCvvxhoojGxEM3pjQIaZ0Him0yT6OGmCGFa7XIRKxwBSv9HtyHf5psgI+X5A2NV2JW2xeLhV2K1+UXmKW4aXjBWKSO08lPSWZ6/5jQTGN1Jg3fLQKSe7f root@framework$ ssh-keyscan -t ecdsa localhost# localhost:22 SSH-2.0-OpenSSH_9.4localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0=

Note: sshd seems to be a bit flakey when it decides to sign withSHA256 orSHA512, so your mileage might vary. OnlySHA256 is supported byssh-tpm-agent.

ssh-config

It is possible to use the public keys created byssh-tpm-keygen inside sshconfigurations.

The below example usesssh-tpm-agent and also passes the public key to ensurenot all identities are leaked from the agent.

Hostexample.comIdentityAgent$SSH_AUTH_SOCKHost*IdentityAgent/run/user/1000/ssh-tpm-agent.sockIdentityFile~/.ssh/id_ecdsa.pub

License

Licensed under the MIT license. SeeLICENSE orhttps://opensource.org/licenses/MIT

About

💻 🔑 ssh-agent for TPMs

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go98.0%
  • Makefile2.0%
[8]ページ先頭
©2009-2025 Movatter.jp