JP Mens3d ago

Generating and storing #SSH keys inside the #TPM (Trusted Platform Module)

https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/

It works, at least on a Thinkpad X1 and Debian 12. I'm not sure I'd actually prefer that to something more portable such as a Yubikey.

I'm interested in hearing your feedback, and whether you actually use the TPM (and what for).

Store ssh keys inside the TPM: ssh-tpm-agent

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said. “I wish I could have my SSH keys sealed in a TPM just as easily”. We should have left it at that. I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.

Morten Linderud
Show threadEdd3d ago
@jpmens
I'm using it both in my home lab as a PoC and (so far, only experimentally) in my day job. We've gotten to the point now where exfiltration of keys is table stakes if an attacker gets into your environment, so I'm a big fan of hardware-bound keys. A yubikey is technically better, imo, but the UX when you've got less-security-focused-users is just better if the key is built into the machine they're provided with.
Show threadJP Mens3d ago
@iMeddles interesting. Does that mean you pre-generate keys for laptop/desktop users, and if I may ask, passphrase-less?
Show threadEdd3d ago

@jpmens
At present, yes, while it's experimental, but the eventual design I want to get to once the tooling is a *little* more mature would get rid of pre-generation and render passphrases moot.

(Warning: wall of text incoming in next reply with design details :p)

Show threadEdd3d ago

@jpmens
The design I *want* to get to in order to roll this out as non-experimental combines the tpm-bound ssh keys with short-lived (<24hr) SSH certificates, alongside device attestation (to prove a given ssh key is on a tpm, no matter who or when it was generated).

The background flow I'm working on, for which we *almost* have all the tooling, is: every day a script notices the user doesn't have a valid ssh certificate, and so generates a new CSR for the key, alongside an attestation statement. The SSH CA validates the attestation statement is correct for the laptop that that user was issued (and API calls out to the Device Management System to check that the device is compliant with all our policies) before issuing the certificate. Access to the CA is gated behind an SSO login, which enforces a daily check that the user is still valid and hasn't been suspended.

Thus the UX for the end user is minimally changed (one SSO login gets enforced per day, but otherwise they ssh and git in the manner they're used to, without them needing to change any behaviour - in fact as they never have to worry about copying their SSH publeys around, it's likely easier for the end user overall); whilst for us in Sysadmin we get loads of upsides:

1. No longer having to care about managing and clearing out authorized_keys files as they don't exist thanks to the certs
2. Guarantees that a given ssh login was initiated from a device that has our security policies applied to it
3. the knowledge that if we have to suspend a user for any reason, all their SSH access will be gone either as soon as the device management system locks their computer out (if their computer is online) or as soon as the ssh certificate expires if not
4. We can leverage the TPMs ability to measure boot to stop a user even starting the process of getting access if the operating system or the system boot settings have been tampered with.

It's definitely a system with a bunch of complexity, but when you're in an Organisation context it has a lot of nice upsides as a trade off for that.

Show threadJP Mens3d ago
@iMeddles it’s late here, and I’m tired, but I will try and process/understand tomorrow. Thank you for your insights!
Show threadEdd
@jpmens
No problem, I'm very happy to answer any questions about this - I'm still trying to make sure I've got all the pieces straight in my head, and answering questions is the best way to find the gaps in my own knowledge!
Mar 25 at 8:55pmWeb