home tags blog microbio cv tech cv

Using SSH keys with TPM and Git

#ssh #git #security

Soc Virnyl Estela | 2024-05-05 | reading time: ~2min

So my mentor has already made a post about how to use TPMs in openSUSE.

I followed a bit, did some weird stuff because it doesn't work at first. It turns out I made a typo and missed a flag 🥴

Now that was all fixed, I was curious if I could use the key to verify my identity on GitHub or any forge e.g. Codeberg. So I tried it on GitHub. Here was the process.

Adding the SSH public key to GitHub§

First, you have to add the pubkey to your ssh directory

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | tee ~/.ssh/id_ecdsa_tpm.pub

And then just copy the SSH pubkey. Here, I use wl-copy to copy it to my system clipboard. Make sure you clear your system clipboard after. Add it in https://github.com/settings/ssh/new. For now, set it as an Authentication Key.

ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so.0 | wl-copy

GitHub SSH AuthKey Section

Next, we might want to add this as our way to sign git commits with SSH.

git config --global user.signingKey ~/.ssh/id_ecdsa_tpm.pub

It is up to you to sign your git commits. I do this globally.

git config --global commit.gpgsign true
git config --global gpg.format ssh
git config --global format.signOff true

Then like before, just add the SSH pubkey again as your signing key. Just select key type as Signing Key.

GitHub SSH Signing Key Section

Lastly, edit your ~/.ssh/config if you have one (or do something similar) like the one below

Host github.com
   User git
   PKCS11Provider /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
   PasswordAuthentication no

Some Caveats§

The issue with this configuration is that ssh-agent can't add the private key automatically or permanently as of now. So you have to do the command manually after a reboot or when ssh-agent expires (if you set it like that)

ssh-add -s /usr/lib64/pkcs11/libtpm2_pkcs11.so.0

ℹ️ You might want to configure that within your shell profile.

Once the private key is added, you can do basic SSH stuff with Git. 😄

Articles from blogs I follow around the net

Decrypting FortiOS 7.0.x

Introduction Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning — we may have …

via GreyNoise Labs April 23, 2024

Copyleft licenses are not “restrictive”

One may observe an axis, or a “spectrum”, along which free and open source software licenses can be organized, where one end is “permissive” and the other end is “copyleft”. It is important to acknowledge, however, that though copyleft can be found at the …

via Drew DeVault's blog April 19, 2024

What Precious Things Does The Corporate World Steal From Us?

It has been about a year and a half of working three days a week in response to burnout. It took me six months to regain the ability to do anything beyond resting the moment I was done working, and in the past year I have recovered much of my ability to fu…

via Ludicity April 15, 2024

Generated by openring-rs