## SSH Authentication with TPM 2.0 and PKCS#11 on Arch Linux Hardware: a TPM 2.0 module based on Infineon SLB9665 cryptographic processor available in the system as ```/dev/tpmrm0```. ### Installation Required software: ``` # pacman -S tpm2-tools tpm2-pkcs11 ``` Note: the configuration is lost upon system re-installation. Restoring ```$HOME/.tmp2_pkcs11``` from backup did not help; a side effect is that a new public key has to be generated and all the hosts updated with the new key. Add user to ```tss``` group then logout to activate the change: ``` usermod -aG tss user ``` ### 1. Initialize store In order to use the *tpm2-pkcs11* library we need to initialize a store which creates a primary object and maps it to a slot. The store defaults to ```$HOME/.tpm2_pkcs11```: ``` $ tpm2_ptool init action: Created id: 1 ``` To create the store in other location, define ```TPM2_PKCS11_STORE``` environment variable. ### 2. Create token Create a token using the primary object id from previous step and a unique token identifier - *label*: ``` $ tpm2_ptool addtoken --pid=1 --label=ssh --sopin='admin-password' --userpin='user-password' ``` ### 3. Create key Add the key object under the token: ``` $ tpm2_ptool addkey --algorithm=rsa2048 --label=ssh --userpin='user-password' ``` To view all the available algorithms, use ``` $ tpm2_ptool addkey --help ``` ### 4. Export the public key The following command exports the public key: ``` $ ssh-keygen -D /usr/lib/pkcs11/libtpm2_pkcs11.so ``` ### Test Login via SSH using the password defined in step 3 for *PIN*: ``` $ ssh -I /usr/lib/pkcs11/libtpm2_pkcs11.so some.host.name Enter PIN for 'ssh': ``` Optionally, add this key to SSH agent: ``` ssh-add -s /usr/lib/pkcs11/libtpm2_pkcs11.so ``` ### Other commands #### List tokens ``` $ tpm2_ptool listtokens --pid 1 ``` #### List objects ``` $ tpm2_ptool listobjects --label ssh ``` #### Delete token ``` $ tpm2_ptool rmtoken --label ssh ``` #### Change PIN ``` $ tpm2_ptool changepin --old 'user-password' --new 'new-user-password' --label ssh ``` ___ #### References: 1. [tpm2-software community](https://tpm2-software.github.io/) 2. [SSH Configuration](https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md) 3. [tpm2-pkcs11 object & authorization model](https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/tpm2-pkcs11_object_auth_model.md)