Skip to content

Foxboron/ssh-tpm-ca-authority

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
attest
attest
 
 
client
client
 
 
cmd
cmd
 
 
internal/json
internal/json
 
 
oidc
oidc
 
 
server
server
 
 
LICENCE
LICENCE
 
 
README.md
README.md
 
 
config.yaml
config.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

ssh-tpm-ca-authority

An implementation of a CA authority that issues SSH certificates bound to TPMs after EK attestation.

POC quality. Very much a work in progress.

Setup

Create a CA

authority$ ssh-tpm-keygen -f id_ecdsa
authority$ scp id_ecdsa.pub gibson.ellingson.com:/etc/ssh/ca_user_key.pub

Transfer id_ecdsa.pub to the remote servers that is suppose to trust this user ca. Modify /etc/ssh/sshd_config to point at the certificate. In this case we have it stored as /etc/ssh/ca_user_key.pub on the remote server.

gibson$ cat /etc/ssh/sshd_config | grep TrustedUserCAKeys
TrustedUserCAKeys /etc/ssh/ca_user_key.pub

gibson$ systemctl restart sshd

Setup CA Authority

Create a configuration that lists the valid hosts, the correct ca_file and the users with access.

authority$ cat config.yaml
---
hosts:
  - host: gibson.ellingson.com
    ca_file: id_ecdsa.tpm
    users:
      - user: zero_cool
        oidc_connector: https://github.com/login/oauth
        email: zero_cool@rightstrashing.com
        ek: 000ba1d6910d32dbafb47e1365e8a84606aaefc9bb2404f4f99082f6284a9b33415b

The Endorsment Key (EK) needs to be retrieved from the client machines. It's the hex representation of the TPM2_Public Name. An example to retrieve it can be found in cmd/getek/main.go.

client$ go run ./cmd/getek
000ba1d6910d32dbafb47e1365e8a84606aaefc9bb2404f4f99082f6284a9b33415b

Then run the CA authority.

Note: It will currently only listed to http://127.0.0.1:8080.

authority$ ssh-tpm-ca-authority --config ./config.yaml

Inside your ~/.ssh/config include a line of the hosts you want to match on. This ensures ssh-tpm-add will retrieve a signed key from the CA authority before authenticating towards the host.

Note: This requires unreleased changes to ssh-tpm-agent

Match host gibson.ellingson.com exec "ssh-tpm-add --ca 'http://127.0.0.1:8080' --host '%h' --user '%r'"

ssh-tpm-ca-authority will issue shortlived 5 minute signed certificates.

The end result should be a seamless connection to the remote host.

client$ ssh zero_cool@gibson.ellingson.com
Last login: Sun Jul 14 17:01:46 2024 from 192.168.1.1337
gibson%

Valid SSO values

SSO values are based off on what sigstore currently supports.

  • https://github.com/login/oauth
  • https://accounts.google.com

About

SSH Certificate Authority with device attestation

Topics

ssh security openssh tpm attestation

Resources

Readme

License

MIT license
Activity

Stars

50 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Languages