The release is signed withC100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16.

⚠️ Breaking Changes⚠️

With the continued development ofgo-tpm-keyfiles there was several issues
with the key format thatssh-tpm-keygen previously generated.

This has been corrected however supporting older keys is going to be hard. So
please recreate any keys you have made with previous releases.

Sorry for the bother, but as the keys are now properly compatible with the other
tss keys this should not happen in the future.

Changes

Thepinentry usage inssh-tpm-agent has been replaced withaskpass. This
requires you to have aaskpass binary installed for GUI password prompts to
display.

This also features a rework of all the prompts inssh-tpm-keygen.

The TPM interaction inssh-tpm-keygen has now fully moved togo-tpm-keyfiles.

https://github.com/Foxboron/go-tpm-keyfiles

Beware, dragons.

New Features

Better support forssh-add inssh-tpm-agent

Previously there was several stubbed functions inssh-tpm-agent that made for
a broken support when flags likessh-add -d was used. This has been fixed and
ssh-tpm-agent should now properly support, and with the proxy support should
forward, allssh-agent commands properly.

Creating and importing wrapped keys

ssh-tpm-keygen has learned how to create wrapped keys. Wrapped keys are keys
that can be created remotely and can be imported by the client. The wrapped keys
are only importable by the given TPM and can't be recovered by anyone else.

The way this work is that the client shares the public key of a given TPM
hierarchy, created bytpm2_createprimary, which is shared. The remote machine
can then create a SSH key withssh-keygen, or a key withopenssl, which is
wrapped byssh-tpm-keygen.

Creation of the shared secret under the owner hierarchy with a SRK, this needs
to be done on the client and shared with the remote machine.

$ tpm2_createprimary -C o -G ecc -g sha256 -c prim.ctx -a'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -f pem -o srk.pem

Creation of a key on the remote end:

$ ssh-keygen -t ecdsa -b 256 -N"" -f ./ecdsa.key# OR with openssl$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out ecdsa.key# Wrap with ssh-tpm-keygen$ ssh-tpm-keygen --wrap-with srk.pub --wrap ecdsa.key -f wrapped_id_ecdsa

Which can then be imported on the client side throughssh-tpm-keygen --import:

$ ssh-tpm-keygen --import ./wrapped_id_ecdsa.tpm --output id_ecdsa.tpm

A usecase for this can be for provisioning purposes in an enterprise setting
where the clients are under central control and you want to provision with a
centrally controlled SSH key that can only be used by a single machine.

Please note that establishing some sort of trust between the remote and client
is a non-trivial problem.

Initial support for key creation under a given parent handle

With the support for importing wrapped keys,ssh-tpm-keygen has gotten
--parent-handle to create ssh keys under a given TPM hierarchy.

Support for persistent handles is not fully implemented yet.

Support forssh-tpm-keygen --print-pubkey

With the support for using wrapped and/or imported keys,ssh-tpm-keygen has
now learned a new flag--print-pubkey that will list the authorized keys
version of a given TPM key.