Skip to content

Commit

Permalink
Added ssh-tpm-hostkey docs and fixups
Browse files Browse the repository at this point in the history
Signed-off-by: Morten Linderud <[email protected]>
  • Loading branch information
Foxboron committed Sep 3, 2023
1 parent 43624b0 commit 6ff8665
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 7 deletions.
35 changes: 35 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,41 @@ $ ssh-add -L
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJCxqisGa9IUNh4Ik3kwihrDouxP7S5Oun2hnzTvFwktszaibJruKLJMxHqVYnNwKD9DegCNwUN1qXCI/UOwaSY= test
```
### ssh-tpm-hostkey
`ssh-tpm-agent` also supports storing host keys inside the TPM.
```
$ sudo ssh-tpm-keygen -A
2023/09/03 17:03:08 INFO Generating new ECDSA host key
2023/09/03 17:03:08 INFO Wrote /etc/ssh/ssh_tpm_host_ecdsa_key.tpm
2023/09/03 17:03:08 INFO Generating new RSA host key
2023/09/03 17:03:15 INFO Wrote /etc/ssh/ssh_tpm_host_rsa_key.tpm

$ sudo ssh-tpm-hostkeys --install-system-units
Installed /usr/lib/systemd/system/ssh-tpm-agent.service
Installed /usr/lib/systemd/system/ssh-tpm-agent.socket
Installed /usr/lib/systemd/system/ssh-tpm-genkeys.service
Enable with: systemctl enable --now ssh-tpm-agent.socket

$ sudo ssh-tpm-hostkeys --install-sshd-config
Installed /etc/ssh/sshd_config.d/10-ssh-tpm-agent.conf
Restart sshd: systemd restart sshd

$ systemctl enable --now ssh-tpm-agent.socket
$ systemd restart sshd

$ sudo ssh-tpm-hostkeys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= root@framework
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAoMPsv5tEpTDFw34ltkF45dTHAPl4aLu6HigBkNnIzsuWqJxhjN6JK3vaV3eXBzy8/UJxo/R0Ml9/DRzFK8cccdIRT1KQtg8xIikRReZ0usdeqTC+wLpW/KQqgBLZ1PphRINxABWReqlnbtPVBfj6wKlCVNLEuTfzi1oAMj3KXOBDcTTB2UBLcwvTFg6YnbTjrpxY83Y+3QIZNPwYqd7r6k+e/ncUl4zgCvvxhoojGxEM3pjQIaZ0Him0yT6OGmCGFa7XIRKxwBSv9HtyHf5psgI+X5A2NV2JW2xeLhV2K1+UXmKW4aXjBWKSO08lPSWZ6/5jQTGN1Jg3fLQKSe7f root@framework

$ ssh-keyscan -t ecdsa localhost
# localhost:22 SSH-2.0-OpenSSH_9.4
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0=
```
Note: sshd seems to be a bit flakey when it decides to sign with `SHA256` or `SHA512`, so your mileage might vary. Only `SHA256` is supported by `ssh-tpm-agent`.
# ssh-config
It is possible to use the public keys created by `ssh-tpm-keygen` inside ssh
Expand Down
8 changes: 7 additions & 1 deletion cmd/ssh-tpm-hostkeys/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const usage = `Usage:
Options:
--install-system-units Installs systemd system units and sshd configs for using
ssh-tpm-agent as a hostkey agent.
--install-sshd-config Installs sshd configuration for the ssh-tpm-agent socket.
Display host keys.`

Expand All @@ -30,17 +31,22 @@ func main() {

var (
installSystemUnits bool
installSshdConfig bool
)

flag.BoolVar(&installSystemUnits, "install-system-units", false, "install systemd system units")
flag.BoolVar(&installSshdConfig, "install-sshd-config", false, "install sshd config")
flag.Parse()

if installSystemUnits {
if err := utils.InstallSystemUnits(); err != nil {
log.Fatal(err)
}
os.Exit(0)
}
if installSshdConfig {
if err := utils.InstallSshdConf(); err != nil {
log.Printf("didn't install sshd config: %v", err)
log.Fatal(err)
}
os.Exit(0)
}
Expand Down
4 changes: 2 additions & 2 deletions contrib/contrib.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ var sshd embed.FS

func readPath(f embed.FS, s string) map[string][]byte {
ret := map[string][]byte{}
files, _ := services.ReadDir(s)
files, _ := f.ReadDir(s)
for _, file := range files {
b, _ := services.ReadFile(path.Join(s, file.Name()))
b, _ := f.ReadFile(path.Join(s, file.Name()))
ret[file.Name()] = b
}
return ret
Expand Down
7 changes: 7 additions & 0 deletions contrib/contrib_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,10 @@ func TestSystemServices(t *testing.T) {
t.Fatalf("invalid number of entries")
}
}

func TestSshdConfig(t *testing.T) {
m := GetSshdConfig()
if len(m) != 1 {
t.Fatalf("invalid number of entries")
}
}
5 changes: 3 additions & 2 deletions contrib/sshd/10-ssh-tpm-agent.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# This enables TPM sealed host keys

HostKeyAgent /var/tmp/ssh-tpm-agent.sock
HostKey /etc/ssh/keys/ssh_host_ecdsa_key.pub
HostKey /etc/ssh/keys/ssh_host_rsa_key.pub

HostKey /etc/ssh/ssh_tpm_host_ecdsa_key.pub
HostKey /etc/ssh/ssh_tpm_host_rsa_key.pub
4 changes: 2 additions & 2 deletions utils/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func FileExists(s string) bool {
// but here we are.
func fmtSystemdInstallPath() string {
DESTDIR := ""
PREFIX := "/usr/local"
PREFIX := "/usr/"
if s, ok := os.LookupEnv("DESTDIR"); ok {
DESTDIR = s
}
Expand Down Expand Up @@ -163,7 +163,7 @@ func InstallSshdConf() error {
return nil
}

files := contrib.GetSystemServices()
files := contrib.GetSshdConfig()
for name := range files {
ff := path.Join(sshdConfInstallPath, name)
if FileExists(ff) {
Expand Down

0 comments on commit 6ff8665

Please sign in to comment.