SSH key with TPM
TPM 2.0
新電腦很多都支援 TPM2.0了,可以用TPM當作SSH key 來加強安全性。
安裝:
sudo apt install libtpm2-pkcs11-tools libtpm2-pkcs11-1
sudo usermod -a -G tss "$(id -nu)"
newgroup tss測試:
ls /dev/tpm0
tpm2_getcap properties-fixed建key:
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword
tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048取得公鑰:
ssh-keygen -D /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1連線:
ssh -I /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1 serverTPM 1.2
先確認 kernel 支援
dmesg | grep -i tpm
[ 5.167670] tpm_tis 00:08: 1.2 TPM (device-id 0x1B, rev-id 16)thomas@T460s:~$ lsmod|grep tpm
tpm_tis 16384 0
tpm_tis_core 28672 1 tpm_tis
tpm 73728 4 tpm_tis,tpm_tis_core
rng_core 16384 1 tpm看看有沒有裝置檔
ls /dev/tpm*要確認 tcsd 服務有安裝啟動
sudo apt-get install trousers
systemctl status tcsd
● trousers.service - LSB: starts tcsd
Loaded: loaded (/etc/init.d/trousers; generated)
Active: active (running) since Fri 2023-04-28 21:23:37 CST; 4 days ago
Docs: man:systemd-sysv-generator(8)
Process: 7571 ExecStart=/etc/init.d/trousers start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 28635)
Memory: 776.0K
CPU: 2.817s
CGroup: /system.slice/trousers.service
└─7577 /usr/sbin/tcsd
測試版本
$ tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.6.40
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: IFX
Vendor Specific data: 062800be 0074706d 733038ff ff
TPM Version: 01010000
Manufacturer Info: 49465800
$ tpm_selftest -l info
TPM Test Results: 800001ff
tpm_selftest succeeded
設定
mkdir ~/.simple-tpm-pk11
stpm-keygen -o ~/.simple-tpm-pk11/my.key
echo key my.key > ~/.simple-tpm-pk11/config取得公鑰:
$ ssh-keygen -D /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTGgGIIZDZ+X+s823nBoAayFxfnv8uVJxcB9MEeOXalKsckqQV9tKgjcB0JOc7F3Dc0LMvTMhuICtf3xBEo6z0wyTt+sj1Q6tf6EVTTGQotYGvesLWUWGoNAmihRXRWSywL4yKgp5aVxE......e5EEE40fiDozFGDImrdFiSdt17iNOAQWjj5mmsaJMRzwvJLViO3oHbViP2sP3Hql1eo+ml x將公鑰丟到主機上 authorized_keys 然後登入時
ssh SSH-SERVER -I /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.soreference
https://blog.ledger.com/ssh-with-tpm/
https://github.com/tpm2-software/tpm2-pkcs11/blob/1.6.0/docs/SSH.md
https://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly.html
https://wiki.archlinux.org/title/Trusted_Platform_Module