TPMを使ってSSHの鍵を保護する。

• Links

https://github.com/ThomasHabets/simple-tpm-pk11
https://blog.habets.se/2013/11/TPM-chip-protecting-SSH-keys---properly

• Ubuntu 12.04 でテスト

• Build

$ sudo apt-get install tpm-tools libtspi-dev libopencryptoki-dev libssl-dev autoreconf libtool

$ git clone https://github.com/ThomasHabets/simple-tpm-pk11.git
$ cd simple-tpm-pk11
$ sh ./bootstrap.sh
$ ./configure
$ make
$ sudo make install

• Setup

$ tpm_version
$ tpm_takeownership -z

set your password

$ tpm_changeownerauth -s -r
$ mkdir ~/.simple-tpm-pk11
$ stpm-keygen -o ~/.simple-tpm-pk11/my.key
Modulus size: 256
Exponent size: 3
Size: 2048
Blob size: 559

$ echo key my.key > ~/.simple-tpm-pk11/config
$ echo -e "\nHost *\n    PKCS11Provider /usr/local/lib/libsimple-tpm-pk11.so" >> ~/.ssh/config


- shell.example.com　を例に

$ ssh-keygen -D /usr/local/lib/libsimple-tpm-pk11.so | ssh shell.example.com tee -a .ssh/authorized_keys
$ ssh shell.example.com    # Unless you have an ssh-agent with other keys, this will use the hardware-protected key.

これで shell.example.com に接続するための、SSH鍵がTPMに保存され保護されます。

• TPM以外の方法

• • GNUK Tokenを使う

GnukトークンでSSH
http://www.janog.gr.jp/meeting/janog35/index.php/download_file/view/94/202/