Thomas Habets has blogged about using your TPM (Trusted Platform Module) for SSH authentication a few weeks ago. We worked together to get his package simple-tpm-pk11 into Debian, and it has just arrived in unstable :-).
Using simple-tpm-pk11, you can let your TPM generate a key, which you then can
use for SSH authentication. This key will never leave the TPM, so it is safer
than having your key on the filesystem (e.g.
file system access is not enough to steal your key anymore. Instead, you’ll
need remote code execution.
To use this software, first make sure your TPM is enabled in the BIOS. In my ThinkPad X200 from 2008, the TPM is called “Security Chip”.
Afterwards, claim ownership of your TPM using
tpm-tools package) and enter a password. You will
not need to enter this password for every SSH authentication
later (but you may choose to set a separate password for that).
simple-tpm-pk11, create a key, set it as your
PKCS11Provider and install the public key on the host(s) where you want to use
mkdir ~/.simple-tpm-pk11 stpm-keygen -o ~/.simple-tpm-pk11/my.key echo key my.key > ~/.simple-tpm-pk11/config echo -e "\nHost *\n PKCS11Provider libsimple-tpm-pk11.so" >> ~/.ssh/config ssh-keygen -D libsimple-tpm-pk11.so | ssh shell.example.com tee -a .ssh/authorized_keys
You’ll now be able to ssh into shell.example.com without having the key for that on your file system :-).
In case you have any feedback about/troubles with the software, please feel free to contact Thomas directly.
I run a blog since 2005, spreading knowledge and experience for almost 20 years! :)
If you want to support my work, you can buy me a coffee.
Thank you for your support! ❤️