tssh manages TPM-backed keys that are ready to use with ssh. Its main focus is to be as stateless as possible by leveraging the fact that TPMs can derive keys deterministically. By default, TSSH uses the username, hostname and port as the salt for key derivation, thereby ensuring that each host has a unique public key. Furthermore, TSSH ensures that the SSH server is offered only the correct key. Check further down for detailed diagrams.
Make sure you have installed the following libraries:
- SQLite3
- Tpm2-tss.
Furthermore, the binary must be allowed to use the TPM. This is typically achieved by adding the user to the TSS group.
Execute the following from the project route:
cargo install --path ./tssh/ --lockednix flake check -LAdd the output of the following command to your ~/.ssh/config file:
localhost $> tssh include
Alternatively, if you don't mind losing your current configuration, you could simply run the following command:
localhost $> tssh include -q > ~/.ssh/config
You can now create an SSH public key using the following command:
localhost $> tssh create user@example.comPlease note that the above command may take several seconds to execute the first time it is run. This is because it tests which algorithms your TPM supports. Subsequent runs retrieve this information directly from the configuration stored in the SQLite database.
Type in the following command to extract the public key, which is ready to use:
localhost $> tssh get example.com
========== Key for user@example.com:22 =========
ecdsa-sha2-nistp384 AAAAE2 .........Once you have informed example.com of the public key (e.g. by adding it to the authorised_hosts file), you can simply use SSH to log in:
localhost $> ssh user@example.com
user@example.com $>
- Key import
- Keys with pin
- Keys bound to hardware state (via PCR)
- Bundled builds
- Minimal build for better container support
- Backup key propagation
- Backup key login (with different backends: plain, bitwarden,.. etc.)
- Commandline completion
- Apple secure enclave support
The software is provided under GPLv3. Contributions to this project are accepted under the same license.