Use Touch ID / Secure Enclave for SSH Authentication!
Rust Shell
Switch branches/tags
Nothing to show

README.md

SeKey

Build Status

SeKey

About

SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave

How it Works?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

Limitations

  • Only support MacBook Pro with the Touch Bar and Touch ID
  • Can’t import preexisting key
  • Stores only 256-bit elliptic curve private key

Install

Homebrew

Unfortunately, I can't make a Homebrew formula because KeyChain API requires entitlements, so the binary has to be signed to work.

Pkg Installer

  1. Go to Releases and download the pkg release
  2. Install the application using the pkg.
  3. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/Applications/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Manual Installation

  1. Go to Releases and download the zip release
  2. Place the App in the Applications folder.
  3. Go to ~/Library/LaunchAgents
  4. Create the file com.ntrippar.sekey.plist
  5. Paste the following into the file and fix the path of the sekey binary:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.ntrippar.sekey</string>
    <key>ProgramArguments</key>
    <array>
        <string>/absolute/path/to/SeKey.app/Contents/MacOS/sekey</string>
        <string>--daemon</string>
    </array>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>
  1. Fix permissions
chown youruser:staff /absolute/path/to/SeKey.app/Contents/MacOS/sekey
  1. Load the agent to the user account:
launchctl load -F ~/Library/LaunchAgents/com.ntrippar.sekey.plist
  1. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/path/to/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Usage

For the help menu:

ntrippar@macbookpro:~% sekey -h
SeKey 1.0
Nicolas Trippar <ntrippar@gmail.com>
Use Secure Enclave for SSH Authentication

USAGE:
    sekey [FLAGS] [OPTIONS]

FLAGS:
        --daemon       Run the daemon
    -h, --help         Prints help information
        --list-keys    List all keys
    -V, --version      Prints version information

OPTIONS:
        --delete-keypair <ID>         Deltes the keypair
        --export-key <ID>             export key to OpenSSH Format
        --generate-keypair <LABEL>    Generate a key inside the Secure Enclave

Examples

Create KeyPair inside the Secure Enclave:

ntrippar@macbookpro:~% sekey --generate-keypair "Github Key"
Keypair Github Key sucessfully generated

List keys in the secure enclave:

ntrippar@macbookpro:~% sekey --list-keys

┌────────────────────┬──────────────────────────────────────────────────┐
│       Label        │                        ID                        │
├────────────────────┼──────────────────────────────────────────────────┤
│     Github Key     │     d179eb4c2d6a242de64e82240b8b6e611cf0d729     │
└────────────────────┴──────────────────────────────────────────────────┘

Export public key to OpenSSH format:

ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729
ecdsa-sha2-nistp25 AAAAEmVjZHNhLXNoYTItbmlzdHAyNQAAAAhuaXN0cDI1NgAAAEEE8HM7SBdu3yOYkmF0Wnj/q8t2NJC6JYJWZ4IyvkOVIeUs6mi4B424bAjhZ4Awgk5ax9r25RB3Q8tL2/7J/3xchQ==

Delete Keypair:

ntrippar@macbookpro:~% sekey --delete-keypair d179eb4c2d6a242de64e82240b8b6e611cf0d729
Key d179eb4c2d6a242de64e82240b8b6e611cf0d729 sucessfully deleted

How to Build

Build

Sekey is built with Cargo, the Rust package manager. We also use Xcode to build the Objective-C code to bridge with the Secure Enclave and sign the binary.

git clone https://github.com/ntrippar/sekey
cd sekey
cargo build --release

Sign

SeKey utilizes the KeyChain API on MacOS, for using it the app needs to be signed and have the correct entitlements.

You need to change the sign parameter to match your own signing key

Listing keys

security find-identity -v -p codesigning

Sign

codesign --force --identifier "com.ntrippar.sekey" --sign "Developer ID Application: Nicolas Trippar (5E8NNEEMLP)" --entitlements ./assets/sekey.entitlements --timestamp=none ./bundle/SeKey.app

Package

cp ./target/release/sekey ./bundle/Applications/SeKey.app/Contents/MacOS/sekey

if needed to create a pkg installer

pkgbuild --analyze --root ./bundle/ SeKey.plist

pkgbuild --sign "Developer ID Installer: Nicolas Trippar (5E8NNEEMLP)" --identifier com.ntrippar.sekey --root ./bundle/ --scripts ./install-scripts --component-plist ./Sekey.plist ./sekey.pkg

Contribute

Members of the open-source community are encouraged to submit pull requests directly through GitHub.