A simple library for using the TPM chip to secure SSH keys.
Copyright 2013-2016 Google Inc. All Rights Reserved. Apache 2.0 license.
This is NOT a Google product.
Contact: thomas@habets.se / habets@google.com
https://github.com/ThomasHabets/
apt-get install tpm-tools libtspi-dev libopencryptoki-dev libssl-dev
tpm-tools
opencryptoki-devel
trousers-devel
openssl-devel
pkg install tpm-tools trousers-tddl opencryptoki openssl
./configure && make && sudo make install
- If you have not taken ownership, do so.
tpm_takeownership -z
Enter owner password: [enter something secret here]
Confirm password: [enter something secret here]
- SRK password is usually the Well Known Secret (all nulls). You can specify a password but it's easier it you don't. The SRK password is only used to allow crypto operations. You still need blobs and key passwords to use other peoples keys.
tpm_changeownerauth -s -r
If you get any error messages, see read TPM-TROUBLESHOOTING.
mkdir ~/.simple-tpm-pk11/
stpm-keygen -o ~/.simple-tpm-pk11/my.key
(use -p
if you want to set a password on the key)
Try out the key:
dd if=/dev/urandom of=to-sign bs=1 count=35
stpm-sign -k ~/.simple-tpm-pk11/my.key -f to-sign
echo "key my.key" > ~/.simple-tpm-pk11/config
Optionally add "log foo.log" in there too.
ssh-keygen -D libsimple-tpm-pk11.so
Install it where you want to log in, in the usual authorized_keys way.
Try logging in using your new fancy key:
ssh -I libsimple-tpm-pk11.so shell.example.com
Add this to ~/.ssh/config
:
Host *
PKCS11Provider libsimple-tpm-pk11.so
then try:
ssh shell.example.com
- Dell Precision T3500 / WEC TPM 1.2.2.81
- HP Z440 / IFX TPM 1.2.4.40
- Lenovo T410 / STM TPM 1.2.8.16
- Lenovo T440s / STM TPM 1.2.13.12
- Lenovo T500 / INTC STM 1.2.4.1
- Lenono X200s / INTC TPM 1.2.4.1
- Lenovo X240 / STM TPM 1.2.13.12
- OpenSSH 5.9
- OpenSSH 6.0p1 on Debian 7.2
- OpenSSH 6.4p1 on CentOS 7.0
- OpenSSH 6.6.1p1 on FreeBSD 11-CURRENT
- OpenSSH 6.8p1 on Arch Linux
- OpenSSH 7.1p2 on Debian
- Clean up code.
- config option: log to stdout and/or stderr in addition to logfile.
- Install in the correct place.
- Add PKCS11 support to ssh server.
- Global config in /etc.
- Optionally stir with /dev/random when generating keys.
- Script to automate setting up, including verifying TPM state and fixing it.
- Auto-generate keys on demand? Or should this only be part of script to set up?
- Make it work with gpg, and document.
- Make it work with SSH certs, and document.
- Make it work with openssl, and document.
- Make it work with Firefox, and document.
- Make it work with Chrome, and document.
- Make it work with encrypted home directories, and document.
- http://secgroup.ext.dsi.unive.it/projects/security-apis/tookan/
- http://secgroup.ext.dsi.unive.it/projects/security-apis/cryptokix/
- http://trousers.sourceforge.net/pkcs11.html
- http://www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification
- http://www.infineon.com/dgdl/TPM+Key+Backup+and+Recovery.pdf
- http://www.engadget.com/2010/02/12/christopher-tarnovsky-hacks-infineons-unhackable-chip-we-pre/
- http://trousers.sourceforge.net/dev_faq.html
- http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/
- http://p11-glue.freedesktop.org/p11-kit.html
- http://trousers.sourceforge.net/dev_faq.html
- Update configure.ac with new version, commit.
- git tag -a -s 0.0x
- git push --tags
openssl genrsa -out rsa-key 2048
openssl rsa -in rsa-key -modulus
exponent is always 65537.
ssh-keygen -f rsa-key -y > rsa-key.pub