TPM keys and user presence

James Bottomley James.Bottomley at HansenPartnership.com
Sun Jul 6 00:42:27 AEST 2025 

On Sat, 2025-07-05 at 10:55 +0200, Anton Khirnov wrote:
> Quoting Brian Candler (2025-07-05 09:39:13)
> > On 05/07/2025 06:52, Anton Khirnov wrote:
> > > - I have to enter the PIN on every use, which is highly
> > > inconvenient and
> > >    increases the likelihood the entry will be observed (e.g. in a
> > > public environment with cameras)
> > > - the key is in the agent and PIN is not required, then any
> > > program that can access the agent can silently SSH all it wants
> > 
> > If the private key is actually in the agent, then you can flag that
> > key to require confirmation on each use. With a normal key, it
> > would be "ssh-add -c". That normally just means clicking "OK"; you
> > don't have to enter a PIN.
> 
> Thank you, that seems to be exactly what I was looking for.

The ssh community has rejected many approaches to TPM based keys, so
the easiest way to use them is to use gpg-agent (for any 2.4 and up
version of gpg) as the ssh agent backend and then simply use the gpg
keytotpm command on keys you want to become only TPM accessible.

> >  I don't know how easy it would be for a rogue program that 
> > accesses the socket to spoof the confirmation too.
> 
> Seems that askpass does forbid ptrace on itself, so attaching with
> gdb and calling exit(0) does work. As, presumably, would be injecting
> appropriate x11 events into its window.
> But still, I'd say it raises the barrier quite significantly.
> 
> > However, I don't use a TPM, and I'm surprised that the TPM allows
> > the private key to be released to the agent in the first place.
> 
> I don't think it does, AFAIU the agent only contains some sort of a
> handle rather than the actual private key. But then again I don't
> have a complete grasp on how all the pieces work, so it'd be nice if
> someone more knowledgeable could confirm this.

That's right, the way gpg-agent and all other patches to ssh that I've
seen work is that once the private key is converted to TPM form, it is
loaded into the TPM and the TPM itself performs signing and decryption
functions (of the shared symmetric key, not bulk decryption).  Once a
key is converted to TPM form, it can never be converted back again
(which is how it is secured) and it is only usable on the one TPM that
converted it.  Note this means that if you want to have keys on
multiple laptops, you need an offline master that you convert to TPM
form on each laptop you want to use it on.

Regards,

James

More information about the openssh-unix-dev mailing list