{"id":17330261,"url":"https://github.com/foxboron/ssh-tpm-ca-authority","last_synced_at":"2025-07-27T00:04:52.211Z","repository":{"id":248383153,"uuid":"828521553","full_name":"Foxboron/ssh-tpm-ca-authority","owner":"Foxboron","description":"SSH Certificate Authority with device attestation","archived":false,"fork":false,"pushed_at":"2024-08-31T16:36:37.000Z","size":62,"stargazers_count":55,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-07-22T06:55:38.004Z","etag":null,"topics":["attestation","openssh","security","ssh","tpm"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Foxboron.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-14T12:06:28.000Z","updated_at":"2025-06-17T04:15:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"37cb758b-8283-445a-af92-0401a58fd357","html_url":"https://github.com/Foxboron/ssh-tpm-ca-authority","commit_stats":null,"previous_names":["foxboron/ssh-tpm-ca-authority"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Foxboron/ssh-tpm-ca-authority","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-ca-authority","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-ca-authority/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-ca-authority/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-ca-authority/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Foxboron","download_url":"https://codeload.github.com/Foxboron/ssh-tpm-ca-authority/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Foxboron%2Fssh-tpm-ca-authority/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267272245,"owners_count":24062435,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-26T02:00:08.937Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","openssh","security","ssh","tpm"],"created_at":"2024-10-15T14:50:49.125Z","updated_at":"2025-07-27T00:04:52.161Z","avatar_url":"https://github.com/Foxboron.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"ssh-tpm-ca-authority\n====================\n\nAn implementation of a CA authority that issues SSH certificates bound to TPMs\nafter EK attestation.\n\n\nPOC quality. Very much a work in progress.\n\n# Setup\n\n### Create a CA\n```sh\nauthority$ ssh-tpm-keygen -f id_ecdsa\nauthority$ scp id_ecdsa.pub gibson.ellingson.com:/etc/ssh/ca_user_key.pub\n```\n\nTransfer `id_ecdsa.pub` to the remote servers that is suppose to trust this user\nca. Modify `/etc/ssh/sshd_config` to point at the certificate. In this case we\nhave it stored as `/etc/ssh/ca_user_key.pub` on the remote server.\n\n```\ngibson$ cat /etc/ssh/sshd_config | grep TrustedUserCAKeys\nTrustedUserCAKeys /etc/ssh/ca_user_key.pub\n\ngibson$ systemctl restart sshd\n```\n\n### Setup CA Authority\n\nCreate a configuration that lists the valid hosts, the correct `ca_file` and the\nusers with access.\n\n```sh\nauthority$ cat config.yaml\n---\nhosts:\n  - host: gibson.ellingson.com\n    ca_file: id_ecdsa.tpm\n    users:\n      - user: zero_cool\n        oidc_connector: https://github.com/login/oauth\n        email: zero_cool@rightstrashing.com\n        ek: 000ba1d6910d32dbafb47e1365e8a84606aaefc9bb2404f4f99082f6284a9b33415b\n```\n\nThe Endorsment Key (EK) needs to be retrieved from the client machines. It's the\nhex representation of the TPM2_Public Name. An example to retrieve it can be\nfound in `cmd/getek/main.go`.\n\n```sh\nclient$ go run ./cmd/getek\n000ba1d6910d32dbafb47e1365e8a84606aaefc9bb2404f4f99082f6284a9b33415b\n```\n\nThen run the CA authority.\n\nNote: It will currently only listed to `http://127.0.0.1:8080`.\n\n```sh\nauthority$ ssh-tpm-ca-authority --config ./config.yaml\n```\n\nInside your `~/.ssh/config` include a line of the hosts you want to match on.\nThis ensures `ssh-tpm-add` will retrieve a signed key from the CA authority\nbefore authenticating towards the host.\n\nNote: This requires unreleased changes to `ssh-tpm-agent`\n\n```ssh\nMatch host gibson.ellingson.com exec \"ssh-tpm-add --ca 'http://127.0.0.1:8080' --host '%h' --user '%r'\"\n```\n\n`ssh-tpm-ca-authority` will issue shortlived 5 minute signed certificates.\n\nThe end result should be a seamless connection to the remote host.\n\n```sh\nclient$ ssh zero_cool@gibson.ellingson.com\nLast login: Sun Jul 14 17:01:46 2024 from 192.168.1.1337\ngibson%\n```\n\n### Valid SSO values\n\nSSO values are based off on what sigstore currently supports.\n\n- `https://github.com/login/oauth`\n- `https://accounts.google.com`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fssh-tpm-ca-authority","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffoxboron%2Fssh-tpm-ca-authority","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoxboron%2Fssh-tpm-ca-authority/lists"}