tommy/thoughts
tommy/thoughts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
thoughts/data/ssh-certs-apple-t2.md

95 lines
3.3 KiB
Markdown
Raw Normal View History

initial migration
2024-08-05 18:24:56 +00:00
## Key Takeaways
* SSH certificates can be used with the Apple T2 chip on
macOS as an alternative to external smart cards,
authenticated with a fingerprint per session.
* The Mac T2 chip serves as an extra security layer by creating
private keys in the secure enclave.
* The CA can be stored on an external smartcard, only
signing for access in a limited period - again limiting
the exposure.
## Introduction
Over the past days I have been going down a deep, deep
rabbit hole of SSH proxy jumping and SSH certificates
combined with smart cards.
After playing around with smart cards for SSH, I recognized
that not only external smart cards such as the Yubikey or
Nitrokey is a possible lane to go down.
Mac computers comes with a security chip called T2. This chip is
also known to host something Apple calls Secure Enclave [1]. In
the Secure Enclave you can store keys.
It will probably not serve as an equally secure solution as with
external smart cards, but it is a better balance for usability.
The T2 is permanently stored in hardware on one host only,
so the access needs to be signed on a per-host basis. In
such I would say the T2 and external smart cards complement
each other.
Always having the key available will bring two additional
vulnerabilities:
* If compromised, the key is always available logically
* Separation of equipment and key is not possible e.g. in a
travel situation
With a central pubkey directory tied to an identity
(automated), the T2 can be of better use for an enterprise
setup.
## Setting up a Private Key in Secure Enclave
While fiddling around I found sekey on Github [2]. The
project seems abandoned, but it is the secure enclave that
does the heavy lifting.
The short and easy setup are:
$ brew cask install sekey
$ echo "export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh" >> ~/.zshrc
$ echo "IdentityAgent ~/.sekey/ssh-agent.ssh" >> ~/.ssh/config
$ source ~/.zshrc
A keypair can now be generated in the secure enclave by:
$ sekey --generate-keypair SSH
$ sekey --list-keys
Now export the public key of the curve generated on-chip:
$ sekey --export-key <id> > id_ecdsa.pub
Using the trick we found in our recent venture into using
smart cards for signing the key, we can used PCKS#11 without
compromising security [3]. In this case I use a Nitrokey:
$ brew cask install opensc
$ PKCS11_MODULE_PATH=/usr/local/lib/opensc-pkcs11.so
$ ssh-keygen -D $PKCS11_MODULE_PATH -e > ca.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web -V +1h -z 1 id_ecdsa.pub
Enter PIN for 'OpenPGP card (User PIN)':
Signed user key id_ecdsa-cert.pub: id "example" serial 1 for zone-web valid from 2020-10-14T20:26:00 to 2020-10-14T21:27:51
cp id_ecdsa-cert.pub ~/.ssh/
If you now try to ssh into a server using the given
certificate authority as shown in the SSH-CA post [3],
access should be granted with a fingerprint.
## A Word of Caution
The T2 has some vulnerabilities shown recently [4]. Make
sure to include these in your risk assessment of using
it. If you won't go down the smart card route it will still
be better than storing the key on disk.
[1] https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web
[2] https://github.com/sekey/sekey
[3] https://secdiary.com/2020-10-13-ssh-ca-proxyjump.html
[4] https://inks.cybsec.network/tag/t2
Reference in a new issue Copy permalink