diff --git a/README.md b/README.md index e45379b..86f4534 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,41 @@ $ ssh-add -L ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJCxqisGa9IUNh4Ik3kwihrDouxP7S5Oun2hnzTvFwktszaibJruKLJMxHqVYnNwKD9DegCNwUN1qXCI/UOwaSY= test ``` +### ssh-tpm-hostkey + +`ssh-tpm-agent` also supports storing host keys inside the TPM. + +``` +$ sudo ssh-tpm-keygen -A +2023/09/03 17:03:08 INFO Generating new ECDSA host key +2023/09/03 17:03:08 INFO Wrote /etc/ssh/ssh_tpm_host_ecdsa_key.tpm +2023/09/03 17:03:08 INFO Generating new RSA host key +2023/09/03 17:03:15 INFO Wrote /etc/ssh/ssh_tpm_host_rsa_key.tpm + +$ sudo ssh-tpm-hostkeys --install-system-units +Installed /usr/lib/systemd/system/ssh-tpm-agent.service +Installed /usr/lib/systemd/system/ssh-tpm-agent.socket +Installed /usr/lib/systemd/system/ssh-tpm-genkeys.service +Enable with: systemctl enable --now ssh-tpm-agent.socket + +$ sudo ssh-tpm-hostkeys --install-sshd-config +Installed /etc/ssh/sshd_config.d/10-ssh-tpm-agent.conf +Restart sshd: systemd restart sshd + +$ systemctl enable --now ssh-tpm-agent.socket +$ systemd restart sshd + +$ sudo ssh-tpm-hostkeys +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= root@framework +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAoMPsv5tEpTDFw34ltkF45dTHAPl4aLu6HigBkNnIzsuWqJxhjN6JK3vaV3eXBzy8/UJxo/R0Ml9/DRzFK8cccdIRT1KQtg8xIikRReZ0usdeqTC+wLpW/KQqgBLZ1PphRINxABWReqlnbtPVBfj6wKlCVNLEuTfzi1oAMj3KXOBDcTTB2UBLcwvTFg6YnbTjrpxY83Y+3QIZNPwYqd7r6k+e/ncUl4zgCvvxhoojGxEM3pjQIaZ0Him0yT6OGmCGFa7XIRKxwBSv9HtyHf5psgI+X5A2NV2JW2xeLhV2K1+UXmKW4aXjBWKSO08lPSWZ6/5jQTGN1Jg3fLQKSe7f root@framework + +$ ssh-keyscan -t ecdsa localhost +# localhost:22 SSH-2.0-OpenSSH_9.4 +localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCLDH2xMDIGb26Q3Fa/kZDuPvzLzfAH6CkNs0wlaY2AaiZT2qJkWI05lMDm+mf+wmDhhgQlkJAHmyqgzYNwqWY0= +``` + +Note: sshd seems to be a bit flakey when it decides to sign with `SHA256` or `SHA512`, so your mileage might vary. Only `SHA256` is supported by `ssh-tpm-agent`. + # ssh-config It is possible to use the public keys created by `ssh-tpm-keygen` inside ssh diff --git a/cmd/ssh-tpm-hostkeys/main.go b/cmd/ssh-tpm-hostkeys/main.go index 62139d7..025d3d5 100644 --- a/cmd/ssh-tpm-hostkeys/main.go +++ b/cmd/ssh-tpm-hostkeys/main.go @@ -20,6 +20,7 @@ const usage = `Usage: Options: --install-system-units Installs systemd system units and sshd configs for using ssh-tpm-agent as a hostkey agent. + --install-sshd-config Installs sshd configuration for the ssh-tpm-agent socket. Display host keys.` @@ -30,17 +31,22 @@ func main() { var ( installSystemUnits bool + installSshdConfig bool ) flag.BoolVar(&installSystemUnits, "install-system-units", false, "install systemd system units") + flag.BoolVar(&installSshdConfig, "install-sshd-config", false, "install sshd config") flag.Parse() if installSystemUnits { if err := utils.InstallSystemUnits(); err != nil { log.Fatal(err) } + os.Exit(0) + } + if installSshdConfig { if err := utils.InstallSshdConf(); err != nil { - log.Printf("didn't install sshd config: %v", err) + log.Fatal(err) } os.Exit(0) } diff --git a/contrib/contrib.go b/contrib/contrib.go index a6c0c33..6ca89fc 100644 --- a/contrib/contrib.go +++ b/contrib/contrib.go @@ -13,9 +13,9 @@ var sshd embed.FS func readPath(f embed.FS, s string) map[string][]byte { ret := map[string][]byte{} - files, _ := services.ReadDir(s) + files, _ := f.ReadDir(s) for _, file := range files { - b, _ := services.ReadFile(path.Join(s, file.Name())) + b, _ := f.ReadFile(path.Join(s, file.Name())) ret[file.Name()] = b } return ret diff --git a/contrib/contrib_test.go b/contrib/contrib_test.go index c92f61a..f6d03ac 100644 --- a/contrib/contrib_test.go +++ b/contrib/contrib_test.go @@ -17,3 +17,10 @@ func TestSystemServices(t *testing.T) { t.Fatalf("invalid number of entries") } } + +func TestSshdConfig(t *testing.T) { + m := GetSshdConfig() + if len(m) != 1 { + t.Fatalf("invalid number of entries") + } +} diff --git a/contrib/sshd/10-ssh-tpm-agent.conf b/contrib/sshd/10-ssh-tpm-agent.conf index ce9f64b..26c2529 100644 --- a/contrib/sshd/10-ssh-tpm-agent.conf +++ b/contrib/sshd/10-ssh-tpm-agent.conf @@ -1,5 +1,6 @@ # This enables TPM sealed host keys HostKeyAgent /var/tmp/ssh-tpm-agent.sock -HostKey /etc/ssh/keys/ssh_host_ecdsa_key.pub -HostKey /etc/ssh/keys/ssh_host_rsa_key.pub + +HostKey /etc/ssh/ssh_tpm_host_ecdsa_key.pub +HostKey /etc/ssh/ssh_tpm_host_rsa_key.pub diff --git a/utils/utils.go b/utils/utils.go index 0b85994..298282d 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -48,7 +48,7 @@ func FileExists(s string) bool { // but here we are. func fmtSystemdInstallPath() string { DESTDIR := "" - PREFIX := "/usr/local" + PREFIX := "/usr/" if s, ok := os.LookupEnv("DESTDIR"); ok { DESTDIR = s } @@ -163,7 +163,7 @@ func InstallSshdConf() error { return nil } - files := contrib.GetSystemServices() + files := contrib.GetSshdConfig() for name := range files { ff := path.Join(sshdConfInstallPath, name) if FileExists(ff) {