Skip to content

Instantly share code, notes, and snippets.

@ddrinka

ddrinka/1 SSH TPM.md

Last active November 18, 2019 23:28
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
1 SSH TPM.md

Create a TPM-protected SSH key

Windows

Ensure TPM is available

tpm.msc

Create a private key in the TPM

# I've elected to allow a simple 4-digit numeric pin. Access to the TPM hardware is sufficient multi-factor for me.
tpmvscmgr create /name "{KEY NAME}" /pin prompt /adminkey random /generate /pinpolicy minlen 4 uppercase allowed lowercase allowed specialchars allowed

Create a certificate

request.inf

[NewRequest]
Subject = "CN={RECOGNIZABLE SUBJECT NAME}"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = CERT
KeyUsage = 0x80

Create and load the certificate

certreq -new -f request.inf

Install Putty CAC

https://github.com/NoMoreFood/putty-cac/releases

Choose the certificate to authenticate with

putty.exe -> Connection -> SSH -> Certificate
See Image Below
Save as default configuration

Deploy the authorized_keys

Within putty certificate configuration screen, copy the SSH Key to the clipboard
Drop it into ~/.ssh/authorized_keys on machines

SSH Agent

Configure Pageant

Enable Autoload Certs and Cert Auth Prompting

Configure Agent Forwarding

putty.exe -> Connection -> SSH -> Auth -> Allow agent forwarding
Save as default configuration

Make Pageant Start On Login

C:\Program Files\PuTTY\pageant.exe -> Send to Desktop (create shortcut)
Start -> Run -> shell:startup
Move the shortcut to the Startup folder just opened

Raw
SSH Yubikey.md

Create a Yubikey SSH key

Windows

Set a PIN / PUK

yubico-piv-tool.exe -a change-pin -P 123456
yubico-piv-tool.exe -a change-puk -P 12345678

Create the key

yubico-piv-tool.exe -a generate -s 9c -S "/CN=ddrinka-yubico/" --valid-days 3650 --touch-policy=always --pin-policy=once --pin-retries=8 --puk-retries=8 -o public.pem

Generate a self-signed certificate

yubico-piv-tool.exe -a verify -a selfsign -s 9c -S "/CN=ddrinka-yubico/" --valid-days 3650 -i public.pem -o cert.crt     #Touch the key to authorize
yubico-piv-tool.exe -a import-certificate -s 9c -i cert.crt

Verify certificate loaded on Yubikey

yubico-piv-tool.exe -a status

Load and verify certificate in Windows

certutil -scinfo   #After entering pin, touch the key to authorize

When Certificate List is displayed, click to view certificate, and install to "Personal".

Deploy the authorized_keys

Within putty certificate configuration screen, copy the SSH Key to the clipboard
Drop it into ~/.ssh/authorized_keys on machines

SSH Agent

Install Putty CAC

https://github.com/NoMoreFood/putty-cac/releases

Configure Pageant

Enable Autoload Certs and Cert Auth Prompting

Configure Agent Forwarding

putty.exe -> Connection -> SSH -> Auth -> Allow agent forwarding
Save as default configuration

Make Pageant Start On Login

C:\Program Files\PuTTY\pageant.exe -> Send to Desktop (create shortcut)
Start -> Run -> shell:startup
Move the shortcut to the Startup folder just opened

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment