Use Touch ID / Secure Enclave for SSH Authentication!

Related tags

Cryptography sekey
Overview

SeKey

Build Status MIT Licensed

SeKey

About

SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave

How it Works?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

Limitations

  • Only support MacBook Pro with the Touch Bar and Touch ID
  • Can’t import preexisting key
  • Stores only 256-bit elliptic curve private key

Install

Homebrew

Unfortunately, I can't make a Homebrew formula because KeyChain API requires entitlements, so the binary has to be signed to work, still you can use Homebrew Cask

Homebrew Cask

  1. Install Sekey
brew cask install sekey
  1. Append the following line to your ~/.bash_profile or ~/.zshrc
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

or

  1. Add the following line you your ~/.ssh/config or /etc/ssh/ssh_config
IdentityAgent ~/.sekey/ssh-agent.ssh

Pkg Installer

  1. Go to Releases and download the pkg release
  2. Install the application using the pkg.
  3. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/Applications/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Manual Installation

  1. Go to Releases and download the zip release
  2. Place the App in the Applications folder.
  3. Go to ~/Library/LaunchAgents
  4. Create the file com.ntrippar.sekey.plist
  5. Paste the following into the file and fix the path of the sekey binary:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.ntrippar.sekey</string>
    <key>ProgramArguments</key>
    <array>
        <string>/absolute/path/to/SeKey.app/Contents/MacOS/sekey</string>
        <string>--daemon</string>
    </array>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>
  1. Fix permissions
chown youruser:staff /absolute/path/to/SeKey.app/Contents/MacOS/sekey
  1. Load the agent to the user account:
launchctl load -F ~/Library/LaunchAgents/com.ntrippar.sekey.plist
  1. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/path/to/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Usage

For the help menu:

ntrippar@macbookpro:~% sekey -h
SeKey 1.0
Nicolas Trippar <[email protected]>
Use Secure Enclave for SSH Authentication

USAGE:
    sekey [FLAGS] [OPTIONS]

FLAGS:
        --daemon       Run the daemon
    -h, --help         Prints help information
        --list-keys    List all keys
    -V, --version      Prints version information

OPTIONS:
        --delete-keypair <ID>         Deltes the keypair
        --export-key <ID>             export key to OpenSSH Format
        --generate-keypair <LABEL>    Generate a key inside the Secure Enclave

Examples

Create KeyPair inside the Secure Enclave:

ntrippar@macbookpro:~% sekey --generate-keypair "Github Key"
Keypair Github Key sucessfully generated

List keys in the secure enclave:

ntrippar@macbookpro:~% sekey --list-keys

┌────────────────────┬──────────────────────────────────────────────────┐
│       Label        │                        ID                        │
├────────────────────┼──────────────────────────────────────────────────┤
│     Github Key     │     d179eb4c2d6a242de64e82240b8b6e611cf0d729     │
└────────────────────┴──────────────────────────────────────────────────┘

Export public key to OpenSSH format:

ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729
ecdsa-sha2-nistp25 AAAAEmVjZHNhLXNoYTItbmlzdHAyNQAAAAhuaXN0cDI1NgAAAEEE8HM7SBdu3yOYkmF0Wnj/q8t2NJC6JYJWZ4IyvkOVIeUs6mi4B424bAjhZ4Awgk5ax9r25RB3Q8tL2/7J/3xchQ==

Delete Keypair:

ntrippar@macbookpro:~% sekey --delete-keypair d179eb4c2d6a242de64e82240b8b6e611cf0d729
Key d179eb4c2d6a242de64e82240b8b6e611cf0d729 sucessfully deleted

Use key for a specific host:

  1. export the public key from sekey and save it to a file
ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729 > ~/.ssh/example.com.pub
  1. on the ssh config file located in ~/.ssh/config we should add a entry so the ssh only query that key for the given host
Host example.com
    IdentityFile ~/.ssh/example.com.pub
    IdentitiesOnly yes

How to Build

Build

Sekey is built with Cargo, the Rust package manager.

git clone https://github.com/ntrippar/sekey
cd sekey
cargo build --release

Sign

SeKey utilizes the KeyChain API on MacOS, for using it the app needs to be signed and have the correct entitlements.

You need to change the sign parameter to match your own signing key

Listing keys

security find-identity -v -p codesigning

Sign

codesign --force --identifier "com.ntrippar.sekey" --sign "Developer ID Application: Nicolas Trippar (5E8NNEEMLP)" --entitlements ./assets/sekey.entitlements --timestamp=none ./bundle/SeKey.app

Package

cp ./target/release/sekey ./bundle/Applications/SeKey.app/Contents/MacOS/sekey

if needed to create a pkg installer

pkgbuild --analyze --root ./bundle/ SeKey.plist

pkgbuild --sign "Developer ID Installer: Nicolas Trippar (5E8NNEEMLP)" --identifier com.ntrippar.sekey --root ./bundle/ --scripts ./install-scripts --component-plist ./Sekey.plist ./sekey.pkg

Contribute

Members of the open-source community are encouraged to submit pull requests directly through GitHub.

Comments
  • A little more detailed set up instructions?

    A little more detailed set up instructions?

    I have downloaded the precompiled binary, and followed the "Manual Installation" instructions, then generated, exported and added the public key to my remote host; but the authentication using the generated key doesn't work. Is there anything else I need to do that is not outlined in Readme?

    opened by spitfire 15
  • Homebrew-Cask

    Homebrew-Cask

    Looks like it should be possible to use a Cask with the signed release.

    https://github.com/caskroom/homebrew-cask/blob/master/doc/development/adding_a_cask.md

    opened by Manouchehri 12
  • Key format

    Key format

    When I am trying to import my public key to AWS management console I am getting:

    Error importing Key Pair Key is not in valid OpenSSH public key format

    Does anyone know what the problem is? Is it possible that AWS does not support ecdsa keys?

    opened by mcdallas 6
  • Change keytype from ecdsa-sha2-nistp256 to ecdsa-sha2-nistp256-sk

    Change keytype from ecdsa-sha2-nistp256 to ecdsa-sha2-nistp256-sk

    OpenSSH now supports ecdsa-sk and ed25519-sk keys. The '-sk' denotes these are stored on a security key, such as a yubikey.

    Since sekey itself is also using hardware backed keys, it could be useful to "indicate" as such an generate these keys as the -sk class so that they can be distinguished from other key types.

    What do you think?

    opened by Firstyear 4
  • Sekey not working after upgrading to Big Sur

    Sekey not working after upgrading to Big Sur

    Hello,

    Not sure if anyone else has noticed. After upgrading to Big Sur, sekey is still running and able to list and export keys, but the SSH client is unable to use it to sign the challenge, throwing this error:

    debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:REDACTED agent
    debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:REDACTED agent
    sign_and_send_pubkey: signing failed: communication with agent failed
    ...
    
    opened by mfdutra 3
  • export-key produces no output

    export-key produces no output

    This looks very useful, but I get no output from export-key:

    Computer:~ tommy$ sekey --export-key "Github work MBP"
    Computer:~ tommy$ sekey -l
    ┌─────────────────────────┬──────────────────────────────────────────────────┐
    │          Label          │                        ID                        │
    ├─────────────────────────┼──────────────────────────────────────────────────┤
    │     Github work MBP     │     5db29e0971f6df63f5e1d8eee9880e3c2def29f7     │
    └─────────────────────────┴──────────────────────────────────────────────────┘
    Computer:~ tommy$ sekey -c key2
    Keypair key2 successfully generated
    Computer:~ tommy$ sekey -l
    ┌─────────────────────────┬──────────────────────────────────────────────────┐
    │          Label          │                        ID                        │
    ├─────────────────────────┼──────────────────────────────────────────────────┤
    │     Github work MBP     │     5db29e0971f6df63f5e1d8eee9880e3c2def29f7     │
    │     key2                │     32135a11baf4c9faf39dd2353b894c7f82c91ac1     │
    └─────────────────────────┴──────────────────────────────────────────────────┘
    Computer:~ tommy$ sekey --export-key key2
    Computer:~ tommy$ 
    

    What am I missing?

    opened by tommythorn 3
  • Command line options

    Command line options

    This is more of a feature request than a bug. sekey -d for sekey --delete-keypair sekey -e for sekey --export-key sekey -c (create)

    opened by Rudi9719 3
  • build failed

    build failed

    error: expected ident, found #
       --> /Users/jk/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/lib.rs:423:29
        |
    423 |                               #[allow(deprecated)]
        |                               ^
        |
       ::: /Users/jk/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/example_generated.rs
        |
    4   | / bitflags! {
    5   | |     /// This is the same `Flags` struct defined in the [crate level example](../index.html#example).
    6   | |     /// Note that this struct is just for documentation purposes only, it must not be used outside
    7   | |     /// this crate.
    ...   |
    13  | |     }
    14  | | }
        | |_- in this macro invocation
    
    opened by playmyswift 3
  • Solution like ssh-copy-id to upload a key in one step

    Solution like ssh-copy-id to upload a key in one step

    The ssh-copy-id tool is useful to add your public key to a remote server's authorized_keys file. It can be used with SeKey by exporting a public key to a file and then using ssh-copy-id with it.

    It would be nice if SeKey made this a bit easier, something like

    sekey -u, --upload-key <[USER@]SERVER> <ID>
    
    opened by rgov 2
  • RSA keys

    RSA keys

    Some systems (e.g. some old clusters I occasionally need to log in to) don't have a new enough SSH to support ECDSA keys and require RSA.

    Since RSA is supported by the Secure Enclave (kSecAttrKeyTypeRSA), I see no reason why not to have RSA support as well.

    opened by omor1 2
  • Support for other private key types and bits

    Support for other private key types and bits

    • [ ] ed25512 w/ option to change rounds
    • [ ] ecdsa {384,512}
    • [ ] rsa {2048,4096}

    Samples on how I create the above now:

    ssh-keygen -q -t ed25519 -o -a 100 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_ed25512
    ssh-keygen -q -t rsa -b 4096 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_rsa
    ssh-keygen -q -t ecdsa -b 521 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_ecdsa
    

    manpage - matching the arguments might be helpful to most users.

    opened by willfarrell 2
  • sekey not working since update to Monterey

    sekey not working since update to Monterey

    I have an M1 macbook air and I've been using sekey on it for a about a year now, but since I upgraded from Big Sur to Monterey I haven't been able to get it to authenticate at all.

    From the SSH end, everything is fine until the signing: debug1:

    Next authentication method: publickey
    debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:<VALID_FINGERPRINT_HERE> agent
    debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:<VALID_FINGERPRINT_HERE> agent
    sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: communication with agent failed
    

    If I run sekey as debug RUST_LOG=debug sekey --daemon I get:

    Pipe deleted
    binding to /Users/f8/.sekey/ssh-agent.ssh
    DEBUG:ssh_agent::agent: handling new connection
    DEBUG:ssh_agent::protocol: reading request
    DEBUG:ssh_agent::agent: request: RequestIdentities
    DEBUG:ssh_agent::agent: handler: Identities([Identity { key_blob: [KEY_BLOB_DATA], key_comment: "ecdsa-sha2-nistp256" }])
    DEBUG:ssh_agent::protocol: reading request
    DEBUG:ssh_agent::agent: request: SignRequest { pubkey_blob: [KEY_BLOB_DATA], data: [DATA_BLOB], flags: 0 }
    DEBUG:ssh_agent::agent: handler: Error { details: "Key not found" }
    

    Everything looks good in the enclave:

     ~ sekey -l
    ┌───────────────────────┬──────────────────────────────────────────────────┐
    │         Label         │                        ID                        │
    ├───────────────────────┼──────────────────────────────────────────────────┤
    │     Kadin SSH Key     │     A_BIG_ID_NUMBER                              │
    └───────────────────────┴──────────────────────────────────────────────────┘
    ➜  ~ sekey -e A_BIG_ID_NUMBER                         
    ecdsa-sha2-nistp256 PUBLIC_KEY_THAT_MATCHES_FINGERPRINT
    

    I've tried reinstalling, rebooting, and everything short of deleting my key from the enclave (because that will be a pain).

    When the errors above occur, I am never prompted to use touch ID. Touch ID is working in other apps post upgrade, but I did notice that the dialog design changed a bit.

    I'm mostly wondering if anyone else has run into this post-moneterey-upgrade before I try something drastic like nuking my key and starting over.

    opened by buddyw 6
  • Small changes to fix some warnings

    Small changes to fix some warnings

    I found some warnings when I built the project (rustc 1.49-beta3 on MacOS BigSur).

    One of them seems to be because the use of env:home_dir is deprecated in favour (so far) of the 'home' crate with the same function name. The other warning appears to be because write_all can return an error if an individual write fails, which means the code was ignoring a result, so I added an 'expect' to each of the write_all calls.

    opened by frumioj 0
  • Add support for unlocking private keys with Apple Watch

    Add support for unlocking private keys with Apple Watch

    This is a feature request to allow authorizing of SeKey key signing operations with an active paired Apple Watch in addition to the Biometric sensors offered by current Macbooks. This would be useful for people who have their laptop closed during use, such as while using a dock/external monitor. Otherwise keys managed by SeKey are unusable due to TouchID being unavailable with the screen closed, and FaceID not yet being a feature that I'm aware of for Macs (though the API exists).

    I believe it should be possible to permit users with paired Apple Watches to use them to authenticate use of SSH keys by adding this constraint - https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/3042482-watch around here: https://github.com/sekey/sekey/blob/master/src/keychain.rs#L369

    Perhaps allowing its use could be dictated by a flag to the daemon.

    I tried getting the code to build locally to add this, but I can't get it to work for me once built + signed, it simply can't access keys - I'm not familiar enough with Rust or the OSX development environment to sort it out currently, I'm afraid.

    Also of note, the existing constraint in use is deprecated as mentioned here: https://github.com/sekey/sekey/issues/26#issuecomment-652753697

    opened by craSH 2
Owner
SeKey
SeKey
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022
Pure Rust implementation of components of the Secure Shell (SSH) protocol

RustCrypto: SSH Pure Rust implementation of components of the Secure Shell (SSH) protocol. Crates Name crates.io Docs Description ssh—encoding Decoder

Rust Crypto 27 Dec 27, 2022
A safe implementation of the secure remote password authentication and key-exchange protocol (SRP), SRP6a and legacy are as features available.

Secure Remote Password (SRP 6 / 6a) A safe implementation of the secure remote password authentication and key-exchange protocol (SRP version 6a). Ver

Sven Assmann 10 Nov 3, 2022
use your GitHub SSH keys to authenticate to sshd

aeneid If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH! What / How? The

Nikhil Jha 21 Dec 6, 2022
User-friendly secure computation engine based on secure multi-party computation

CipherCore If you have any questions, or, more generally, would like to discuss CipherCore, please join the Slack community. See a vastly extended ver

CipherMode Labs 356 Jan 5, 2023
Retrieving SSH and GPS keys from GitHub and GitLab

Dormarch Retrieving SSH and GPS keys from GitHub and GitLab Usage After having installed Dormarch, you can see all the options with dormarch -h. To re

Riccardo Padovani 2 Dec 24, 2021
In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

In addition to encryption library, pure RUST implementation of SSH-2.0 client protocol

陈年旧事。 73 Jan 1, 2023
Authorize an ssh session using your keys on GitHub.

GitHub AuthorizedKeysCommand (hubakc) Heavily inspired by https://github.com/sequencer/gitakc . It allows someone login to the server using their ssh

Wenzhuo Liu 5 Nov 11, 2022
Git FIDO Helper - Sign your Git commits with multiple resident SSH keys

gfh Git FIDO helper, or God Fucking Help me. gfh is a tool for helping you sign your commits in Git with resident SSH keys stored on multiple FIDO dev

Michael Mitchell 16 Nov 30, 2022
End-to-end encryption and mutual authentication for distributed applications.

✨ Hands-on Introduction: Build end-to-end encrypted, mutually-authenticated, secure messaging in Rust ✨ Rust and Elixir libraries for end-to-end encry

Ockam | Trust for Data-in-Motion 2.8k Jan 2, 2023
LibreAuth is a collection of tools for user authentication.

LibreAuth is a collection of tools for user authentication. Features Password / passphrase authentication no character-set limitation reason

Rodolphe Bréard 252 Dec 28, 2022
CLI tool for managing your 2FA authentication codes written in pure Rust.

(O)TP (VA)ULT - ova. ova is a simple CLI tool which lets you manage your TOTPs, or basically lets you get your two-way authentication code straight to

Giorgi Anakidze 3 Apr 28, 2023
gRPC client/server for zero-knowledge proof authentication Chaum Pederson Zero-Knowledge Proof in Rust

gRPC client/server for zero-knowledge proof authentication Chaum Pederson Zero-Knowledge Proof in Rust. Chaum Pederson is a zero-knowledge proof proto

Advaita Saha 4 Jun 12, 2023
React Native (Expo) + JWT Authentication + Rust ICP canister

React Native (Expo) app with JWT Authentication and IC Rust canister This is a Proof-of-Concept React Native Expo mobile application that uses JSON We

Luca Bertelli 5 May 2, 2024
Secure storage for cryptographic secrets in Rust

secrets secrets is a library to help Rust programmers safely held cryptographic secrets in memory. It is mostly an ergonomic wrapper around the memory

Stephen Touset 165 Dec 22, 2022
A fast and secure multi protocol honeypot.

Medusa A fast and secure multi protocol honeypot that can mimic realistic devices running ssh, telnet, http, https or any other tcp and udp servers. W

Simone Margaritelli 268 Dec 26, 2022
Cross-platform Secure TUI Secret Locker

SafeCloset keeps your secrets in password protected files. SafeCloset is designed to be convenient and avoid common weaknesses like external editing o

Canop 63 Dec 26, 2022
A Secure Capability-Based Runtime for JavaScript Based on Deno

Secure Runtime secure-runtime, as the name implies, is a secure runtime for JavaScript, designed for the multi-tenant serverless environment. It is an

Gigamono 7 Oct 7, 2022
Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.

Building 1. Install rustc, cargo and rustfmt. $ curl https://sh.rustup.rs -sSf | sh $ source $HOME/.cargo/env $ rustup component add rustfmt When buil

Solana Foundation 9.8k Jan 3, 2023