ssh-tpm-agent is a ssh-agent that allows keys to be created by the Trusted
Platform Module (TPM), sealed outside of it, for authentication towards ssh
servers.
This allows one to utilize a native client instead of having to side load existing PKCS11 libraries into the ssh-agent and/or ssh client.
- A working
ssh-agent. - Keys created on the TPM, sealed outside of it.
- PIN support.
- TPM session encryption.
The identity format and technical details might change between iterations. Consider this plugin experimental.
Instead of utilizing the TPM directly, you can use --swtpm or export SSH_TPM_AGENT_SWTPM=1 to create a identity backed by
swtpm which will be stored under
/var/tmp/ssh-tpm-agent.
Note that swtpm provides no security properties and should only be used for
testing.
The simplest way of installing this plugin is by running the follow go command.
go install github.com/Foxboron/ssh-tpm-agent/cmd/...@latest
Alternatively download the pre-built binaries.
# Create key
$ ssh-tpm-keygen
Generating a sealed public/private ecdsa key pair.
Enter file in which to save the key (/home/fox/.ssh/id_ecdsa):
Enter pin (empty for no pin):
Enter same pin again:
Your identification has been saved in /home/fox/.ssh/id_ecdsa.tpm
Your public key has been saved in /home/fox/.ssh/id_ecdsa.pub
The key fingerprint is:
SHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564
The key's randomart image is the color of television, tuned to a dead channel.
$ cat /home/fox/.ssh/id_ecdsa.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTOsMXyjTc1wiQSKhRiNhKFsHJNLzLk2r4foXPLQYKR0tuXIBMTQuMmc7OiTgNMvIjMrcb9adgGdT3s+GkNi1g=
# Using the socket
$ ssh-tpm-agent -l /var/tmp/tpm.sock
$ export SSH_AUTH_SOCK="/var/tmp/tpm.sock" ssh git@github.comLicensed under the MIT license. See LICENSE or http://opensource.org/licenses/MIT