Releases: Foxboron/ssh-tpm-agent
v0.7.0
Changelog
- The fedora path to
gnome-ssh-askpass
has beeen addeed - Some prompts with the
pin
terminology has been changed topassphrase
ssh-tpm-agent
has now learned to cache passphrases. This can be disabled by passing--no-cache
.ssh-tpm-keygen -A
will now use the correctly create an ECDSA key
Generated list of changes
What's Changed
- feat: add Fedora gnome-ssh-askpass path to search list by @umglurf in #60
- Use passphrase terminology, not PIN by @dcousens in #57
- agent: learn to cache userauths for TPM keys by @Foxboron in #61
- agent: Remove duplicate
--print-pubkey
in usage by @stigtsp in #63 - Fix building by @quite in #64
New Contributors
Full Changelog: v0.6.0...v0.7.0
v0.6.0
The release is signed with C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
.
New Features
Support for SSH certificates
ssh-tpm-add
will now look for cert.pub
files in the working directory when adding new files to the agent. The agent has also learned how to show the certificates to the ssh client.
Support for ssh-tpm-ca-authority
ssh-tpm-ca-authority
is a project to try and provision short-lived device and identity bound SSH certificates. It's currently POC quality, but ssh-tpm-add
has learned how to fetch these certificates for demo purposes.
Misc fixes
- The askpass prompt will now be the standard openssh prompt string. This is to enable caching implemented by some agents.
Bug fixes
- askpass programs will now be looked for in the
SSH_ASKPASS
environment flag as intended. ssh-tpm-agent
would not report any errors if it failed to find an askpass binary. This has been fixed
Full Changelog: v0.5.0...v0.6.0
v0.5.0
The release is signed with C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
.
⚠️ Breaking Changes ⚠️
With the continued development of go-tpm-keyfiles
there was several issues
with the key format that ssh-tpm-keygen
previously generated.
This has been corrected however supporting older keys is going to be hard. So
please recreate any keys you have made with previous releases.
Sorry for the bother, but as the keys are now properly compatible with the other
tss keys this should not happen in the future.
Changes
The pinentry
usage in ssh-tpm-agent
has been replaced with askpass
. This
requires you to have a askpass
binary installed for GUI password prompts to
display.
This also features a rework of all the prompts in ssh-tpm-keygen
.
The TPM interaction in ssh-tpm-keygen
has now fully moved to go-tpm-keyfiles
.
https://github.com/Foxboron/go-tpm-keyfiles
Beware, dragons.
New Features
Better support for ssh-add
in ssh-tpm-agent
Previously there was several stubbed functions in ssh-tpm-agent
that made for
a broken support when flags like ssh-add -d
was used. This has been fixed and
ssh-tpm-agent
should now properly support, and with the proxy support should
forward, all ssh-agent
commands properly.
Creating and importing wrapped keys
ssh-tpm-keygen
has learned how to create wrapped keys. Wrapped keys are keys
that can be created remotely and can be imported by the client. The wrapped keys
are only importable by the given TPM and can't be recovered by anyone else.
The way this work is that the client shares the public key of a given TPM
hierarchy, created by tpm2_createprimary
, which is shared. The remote machine
can then create a SSH key with ssh-keygen
, or a key with openssl
, which is
wrapped by ssh-tpm-keygen
.
Creation of the shared secret under the owner hierarchy with a SRK, this needs
to be done on the client and shared with the remote machine.
$ tpm2_createprimary -C o -G ecc -g sha256 -c prim.ctx -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -f pem -o srk.pem
Creation of a key on the remote end:
$ ssh-keygen -t ecdsa -b 256 -N "" -f ./ecdsa.key
# OR with openssl
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out ecdsa.key
# Wrap with ssh-tpm-keygen
$ ssh-tpm-keygen --wrap-with srk.pub --wrap ecdsa.key -f wrapped_id_ecdsa
Which can then be imported on the client side through ssh-tpm-keygen --import
:
$ ssh-tpm-keygen --import ./wrapped_id_ecdsa.tpm --output id_ecdsa.tpm
A usecase for this can be for provisioning purposes in an enterprise setting
where the clients are under central control and you want to provision with a
centrally controlled SSH key that can only be used by a single machine.
Please note that establishing some sort of trust between the remote and client
is a non-trivial problem.
Initial support for key creation under a given parent handle
With the support for importing wrapped keys, ssh-tpm-keygen
has gotten
--parent-handle
to create ssh keys under a given TPM hierarchy.
Support for persistent handles is not fully implemented yet.
Support for ssh-tpm-keygen --print-pubkey
With the support for using wrapped and/or imported keys, ssh-tpm-keygen
has
now learned a new flag --print-pubkey
that will list the authorized keys
version of a given TPM key.
v0.4.0
The release is signed with C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
.
New Features
Owner password support
Passing --owner-password
to ssh-tpm-agent
or ssh-tpm-add
will query for the owner password for the SRK.
Stubbing out missing ssh-agent
functions
Fixed a bug where using ssh-add
with ssh-tpm-agent
would fail as the proxy operations where not implemented.
What's Changed
New Contributors
Full Changelog: v0.3.1...v0.4.0
v0.3.1
Bugfix release
- Missing
go-tpm-keyfile
update meant the key descriptions where not included in the keys. - Ensure we are always setting a minimum bitlength value for keys.
- Ensure
-f
is treated as an aboslute path, and not have the ssh path appended.
What's Changed
- ssh-tpm-keygen: set default number of bits for ecdsa and rsa by @stigtsp in #44
- contrib/services/user/ssh-tpm-agent.service: fix SSH_AUTH_SOCK path by @nl6720 in #45
New Contributors
Full Changelog: v0.3.0...v0.3.1
v0.3.0
The release is signed with C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
.
⚠️ Breaking Changes ⚠️
The key format has been changed from the custom binary format to the TPM 2.0 Key
files specification. Keys from v0.1.0
and v0.2.0
are no longer supported and
ssh-tpm-agent
will give you a warning when it finds such a key.
The reason for this change is that the older format was a custom binary format
that doesn't support TPM key policies and authpolicies that will be needed in
the future. The format would have to be versioned at some point so using an
established format makes more sense.
This change also creates incompatible TPM keys without a hardcoded signature
schemes. This allows us to support other hashing algorithms instead of always
relying on sha256
.
This change also changes the TPM primary key from being RSA or ECDSA to
always standardizing on a NIST-P256 primary key.
For the spec:
https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
The library for the key format:
https://github.com/Foxboron/go-tpm-keyfiles
New Features
Support for ecdsa 384 and 521 bit lengths
ECDSA p384
and p521
keys are now supported. They can be created with a the
-b
switch.
λ ~ » ssh-tpm-keygen -t ecdsa -b 384
λ ~ » ssh-tpm-keygen -t ecdsa -b 521
Note that the availability of the different bit lengths depends on the TPM
available on the system. Use ssh-tpm-keygen --supported
to list supported bit
lengths.
λ ~ » ssh-tpm-keygen --supported
ecdsa bit lengths: 256 384
rsa bit lengths: 2048
What's Changed
- Support p256, p384 and p521 by @Foxboron in #40
- Move key format to ASN.1 TPM Keys by @Foxboron in #41
Full Changelog: v0.2.0...v0.3.0
ssh-tpm-agent v0.2.0
The release is signed with C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
.
New Features
Agent proxying
ssh-tpm-agent
now allows ssh-agent proxying through the -A
option. This allows ssh-tpm-agent
to forward signing requests to other agents that supports other key types then the TPM keys. This is practical to keep one socket as a main socket while still not having to abandon non-TPM sealed keys.
Key import
ssh-tpm-keygen
has gotten an --import
command to allows people to import RSA2048 and ecdsa keys created by ssh-keygen
.
RSA key support
ssh-tpm-agent
now supports rsa2048
keys. TPMs usually do not support anything above 2048 bit strength, I recommend the ecdsa keys instead but someone might want RSA keys I guess.
Host Key support
This release implements support for TPM sealed host keys. ssh-tpm-hostkeys
shows host keys and installs system global services, and configuration for sshd
, to use ssh-tpm-agent
as a system daemon. ssh-tpm-keygen -A
creates ecdsa and RSA host keys.
What's Changed
- Use $XDG_RUNTIME_DIR or /var/tmp/ by default for socket by @stigtsp in #5
- keygen: Use term.ReadPassword() when reading PIN by @stigtsp in #6
- Update README.md: fix typo in releases url by @jrwren in #7
- README: fix install example command by @stigtsp in #8
- agent: Allow password-caching in pinentry by @stigtsp in #11
- ssh-tpm-agent: Add ssh-agent proxy functionality with -A by @Foxboron in #13
- agent: add --key-dir as a flag, and warn if key dir is a symlink. by @andersju in #14
- Support RSA keys by @Foxboron in #17
- Implement import of existing keys by @Foxboron in #16
- Support comments in keys by @Foxboron in #18
- Socket activation and --install-user-units by @Foxboron in #19
- Implement ssh-tpm-add by @Foxboron in #21
- Fix typos and code formatting in README by @dcousens in #22
- Fix .tpm suffix in ssh-tmp-keygen by @rafiramadhana in #27
- LoadKeys() use env + slog.Debug + refactor by @jtagcat in #24
New Contributors
- @stigtsp made their first contribution in #5
- @jrwren made their first contribution in #7
- @Foxboron made their first contribution in #13
- @andersju made their first contribution in #14
- @dcousens made their first contribution in #22
- @rafiramadhana made their first contribution in #27
- @jtagcat made their first contribution in #24
Full Changelog: v0.1.0...v0.2.0
v1.0.0-rc2
Full Changelog: v1.0.0-rc1...v1.0.0-rc2
v1.0.0-rc1
Release candidate.
What's Changed
- Use $XDG_RUNTIME_DIR or /var/tmp/ by default for socket by @stigtsp in #5
- keygen: Use term.ReadPassword() when reading PIN by @stigtsp in #6
- Update README.md: fix typo in releases url by @jrwren in #7
- README: fix install example command by @stigtsp in #8
- agent: Allow password-caching in pinentry by @stigtsp in #11
- ssh-tpm-agent: Add ssh-agent proxy functionality with -A by @Foxboron in #13
- agent: add --key-dir as a flag, and warn if key dir is a symlink. by @andersju in #14
- Support RSA keys by @Foxboron in #17
- Implement import of existing keys by @Foxboron in #16
- Support comments in keys by @Foxboron in #18
- Socket activation and --install-user-units by @Foxboron in #19
- Implement ssh-tpm-add by @Foxboron in #21
New Contributors
- @stigtsp made their first contribution in #5
- @jrwren made their first contribution in #7
- @Foxboron made their first contribution in #13
- @andersju made their first contribution in #14
Full Changelog: v0.1.0...v1.0.0-rc1
ssh-tpm-agent v0.1.0
This is the initial release of ssh-tpm-agent
.
It provides an ssh-agent compatible agent that serves TPM sealed keys to ssh servers.
Still WIP/experimental, please do not package.