TPM keys and user presence
Wiktor Kwapisiewicz
wiktor at metacode.biz
Mon Jul 7 17:57:09 AEST 2025
Hi folks,
On 7.07.2025 08:35, Damien Miller wrote:
>> For TPM2, see here:
>>
>> https://github.com/Foxboron/ssh-tpm-agent
>
> There are also ways to do it via PKCS#11, which lets you use the stock
> OpenSSH ssh-agent.
One thing to keep in mind, when choosing between agents is that the
stock one implements some additional extensions, such as destination
constraints [0] or confirmation before key use (mentioned earlier in
this thread), which are rarely implemented in non-stock clients [1].
As much as I like Foxboron's work (here, and elsewhere), I'm wondering
how much work would it be to expose only the key operations via custom
PKCS#11 .so and leave the rest of the key logic in stock agent...
[0]: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.agent
[1]:
https://github.com/Foxboron/ssh-tpm-agent/blob/master/agent/gocrypto.go#L30
>> I'd only recommend going down the GPG path if you're already
>> established and invested in the GPG infrastructure/setup, but never
>> for beginners.
>
> +1
Agreed, James did astounding job adding TPM to GnuPG but in my
experience GnuPG is orders of magnitude more complex than OpenSSH and
given their recent fork of OpenPGP into https://librepgp.org/ I'm not
sure if it's a solid ground to build on.
Kind regards,
Wiktor
More information about the openssh-unix-dev
mailing list