Use Touch ID / Secure Enclave for SSH Authentication!

Related tags

Security tools sekey
Overview

SeKey

Build Status MIT Licensed

SeKey

About

SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave

How it Works?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

Limitations

  • Only support MacBook Pro with the Touch Bar and Touch ID
  • Can’t import preexisting key
  • Stores only 256-bit elliptic curve private key

Install

Homebrew

Unfortunately, I can't make a Homebrew formula because KeyChain API requires entitlements, so the binary has to be signed to work, still you can use Homebrew Cask

Homebrew Cask

  1. Install Sekey
brew cask install sekey
  1. Append the following line to your ~/.bash_profile or ~/.zshrc
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

or

  1. Add the following line you your ~/.ssh/config or /etc/ssh/ssh_config
IdentityAgent ~/.sekey/ssh-agent.ssh

Pkg Installer

  1. Go to Releases and download the pkg release
  2. Install the application using the pkg.
  3. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/Applications/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Manual Installation

  1. Go to Releases and download the zip release
  2. Place the App in the Applications folder.
  3. Go to ~/Library/LaunchAgents
  4. Create the file com.ntrippar.sekey.plist
  5. Paste the following into the file and fix the path of the sekey binary:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.ntrippar.sekey</string>
    <key>ProgramArguments</key>
    <array>
        <string>/absolute/path/to/SeKey.app/Contents/MacOS/sekey</string>
        <string>--daemon</string>
    </array>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>
  1. Fix permissions
chown youruser:staff /absolute/path/to/SeKey.app/Contents/MacOS/sekey
  1. Load the agent to the user account:
launchctl load -F ~/Library/LaunchAgents/com.ntrippar.sekey.plist
  1. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/path/to/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Usage

For the help menu:

[email protected]:~% sekey -h
SeKey 1.0
Nicolas Trippar <[email protected]>
Use Secure Enclave for SSH Authentication

USAGE:
    sekey [FLAGS] [OPTIONS]

FLAGS:
        --daemon       Run the daemon
    -h, --help         Prints help information
        --list-keys    List all keys
    -V, --version      Prints version information

OPTIONS:
        --delete-keypair <ID>         Deltes the keypair
        --export-key <ID>             export key to OpenSSH Format
        --generate-keypair <LABEL>    Generate a key inside the Secure Enclave

Examples

Create KeyPair inside the Secure Enclave:

[email protected]:~% sekey --generate-keypair "Github Key"
Keypair Github Key sucessfully generated

List keys in the secure enclave:

[email protected]:~% sekey --list-keys

┌────────────────────┬──────────────────────────────────────────────────┐
│       Label        │                        ID                        │
├────────────────────┼──────────────────────────────────────────────────┤
│     Github Key     │     d179eb4c2d6a242de64e82240b8b6e611cf0d729     │
└────────────────────┴──────────────────────────────────────────────────┘

Export public key to OpenSSH format:

[email protected]:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729
ecdsa-sha2-nistp25 AAAAEmVjZHNhLXNoYTItbmlzdHAyNQAAAAhuaXN0cDI1NgAAAEEE8HM7SBdu3yOYkmF0Wnj/q8t2NJC6JYJWZ4IyvkOVIeUs6mi4B424bAjhZ4Awgk5ax9r25RB3Q8tL2/7J/3xchQ==

Delete Keypair:

[email protected]:~% sekey --delete-keypair d179eb4c2d6a242de64e82240b8b6e611cf0d729
Key d179eb4c2d6a242de64e82240b8b6e611cf0d729 sucessfully deleted

Use key for a specific host:

  1. export the public key from sekey and save it to a file
[email protected]:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729 > ~/.ssh/example.com.pub
  1. on the ssh config file located in ~/.ssh/config we should add a entry so the ssh only query that key for the given host
Host example.com
    IdentityFile ~/.ssh/example.com.pub
    IdentitiesOnly yes

How to Build

Build

Sekey is built with Cargo, the Rust package manager.

git clone https://github.com/ntrippar/sekey
cd sekey
cargo build --release

Sign

SeKey utilizes the KeyChain API on MacOS, for using it the app needs to be signed and have the correct entitlements.

You need to change the sign parameter to match your own signing key

Listing keys

security find-identity -v -p codesigning

Sign

codesign --force --identifier "com.ntrippar.sekey" --sign "Developer ID Application: Nicolas Trippar (5E8NNEEMLP)" --entitlements ./assets/sekey.entitlements --timestamp=none ./bundle/SeKey.app

Package

cp ./target/release/sekey ./bundle/Applications/SeKey.app/Contents/MacOS/sekey

if needed to create a pkg installer

pkgbuild --analyze --root ./bundle/ SeKey.plist

pkgbuild --sign "Developer ID Installer: Nicolas Trippar (5E8NNEEMLP)" --identifier com.ntrippar.sekey --root ./bundle/ --scripts ./install-scripts --component-plist ./Sekey.plist ./sekey.pkg

Contribute

Members of the open-source community are encouraged to submit pull requests directly through GitHub.

Comments
  • A little more detailed set up instructions?

    A little more detailed set up instructions?

    I have downloaded the precompiled binary, and followed the "Manual Installation" instructions, then generated, exported and added the public key to my remote host; but the authentication using the generated key doesn't work. Is there anything else I need to do that is not outlined in Readme?

    opened by spitfire 15
  • Homebrew-Cask

    Homebrew-Cask

    Looks like it should be possible to use a Cask with the signed release.

    https://github.com/caskroom/homebrew-cask/blob/master/doc/development/adding_a_cask.md

    opened by Manouchehri 12
  • Key format

    Key format

    When I am trying to import my public key to AWS management console I am getting:

    Error importing Key Pair Key is not in valid OpenSSH public key format

    Does anyone know what the problem is? Is it possible that AWS does not support ecdsa keys?

    opened by mcdallas 6
  • Change keytype from ecdsa-sha2-nistp256 to ecdsa-sha2-nistp256-sk

    Change keytype from ecdsa-sha2-nistp256 to ecdsa-sha2-nistp256-sk

    OpenSSH now supports ecdsa-sk and ed25519-sk keys. The '-sk' denotes these are stored on a security key, such as a yubikey.

    Since sekey itself is also using hardware backed keys, it could be useful to "indicate" as such an generate these keys as the -sk class so that they can be distinguished from other key types.

    What do you think?

    opened by Firstyear 4
  • Sekey not working after upgrading to Big Sur

    Sekey not working after upgrading to Big Sur

    Hello,

    Not sure if anyone else has noticed. After upgrading to Big Sur, sekey is still running and able to list and export keys, but the SSH client is unable to use it to sign the challenge, throwing this error:

    debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:REDACTED agent
    debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:REDACTED agent
    sign_and_send_pubkey: signing failed: communication with agent failed
    ...
    
    opened by mfdutra 3
  • export-key produces no output

    export-key produces no output

    This looks very useful, but I get no output from export-key:

    Computer:~ tommy$ sekey --export-key "Github work MBP"
    Computer:~ tommy$ sekey -l
    ┌─────────────────────────┬──────────────────────────────────────────────────┐
    │          Label          │                        ID                        │
    ├─────────────────────────┼──────────────────────────────────────────────────┤
    │     Github work MBP     │     5db29e0971f6df63f5e1d8eee9880e3c2def29f7     │
    └─────────────────────────┴──────────────────────────────────────────────────┘
    Computer:~ tommy$ sekey -c key2
    Keypair key2 successfully generated
    Computer:~ tommy$ sekey -l
    ┌─────────────────────────┬──────────────────────────────────────────────────┐
    │          Label          │                        ID                        │
    ├─────────────────────────┼──────────────────────────────────────────────────┤
    │     Github work MBP     │     5db29e0971f6df63f5e1d8eee9880e3c2def29f7     │
    │     key2                │     32135a11baf4c9faf39dd2353b894c7f82c91ac1     │
    └─────────────────────────┴──────────────────────────────────────────────────┘
    Computer:~ tommy$ sekey --export-key key2
    Computer:~ tommy$ 
    

    What am I missing?

    opened by tommythorn 3
  • Command line options

    Command line options

    This is more of a feature request than a bug. sekey -d for sekey --delete-keypair sekey -e for sekey --export-key sekey -c (create)

    opened by Rudi9719 3
  • build failed

    build failed

    error: expected ident, found #
       --> /Users/jk/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/lib.rs:423:29
        |
    423 |                               #[allow(deprecated)]
        |                               ^
        |
       ::: /Users/jk/.cargo/registry/src/github.com-1ecc6299db9ec823/bitflags-1.0.1/src/example_generated.rs
        |
    4   | / bitflags! {
    5   | |     /// This is the same `Flags` struct defined in the [crate level example](../index.html#example).
    6   | |     /// Note that this struct is just for documentation purposes only, it must not be used outside
    7   | |     /// this crate.
    ...   |
    13  | |     }
    14  | | }
        | |_- in this macro invocation
    
    opened by playmyswift 3
  • Solution like ssh-copy-id to upload a key in one step

    Solution like ssh-copy-id to upload a key in one step

    The ssh-copy-id tool is useful to add your public key to a remote server's authorized_keys file. It can be used with SeKey by exporting a public key to a file and then using ssh-copy-id with it.

    It would be nice if SeKey made this a bit easier, something like

    sekey -u, --upload-key <[[email protected]]SERVER> <ID>
    
    opened by rgov 2
  • RSA keys

    RSA keys

    Some systems (e.g. some old clusters I occasionally need to log in to) don't have a new enough SSH to support ECDSA keys and require RSA.

    Since RSA is supported by the Secure Enclave (kSecAttrKeyTypeRSA), I see no reason why not to have RSA support as well.

    opened by omor1 2
  • Support for other private key types and bits

    Support for other private key types and bits

    • [ ] ed25512 w/ option to change rounds
    • [ ] ecdsa {384,512}
    • [ ] rsa {2048,4096}

    Samples on how I create the above now:

    ssh-keygen -q -t ed25519 -o -a 100 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_ed25512
    ssh-keygen -q -t rsa -b 4096 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_rsa
    ssh-keygen -q -t ecdsa -b 521 -N '' -C "will Farrell's MacBook Pro" -f ~/.ssh/id_ecdsa
    

    manpage - matching the arguments might be helpful to most users.

    opened by willfarrell 2
  • sekey not working since update to Monterey

    sekey not working since update to Monterey

    I have an M1 macbook air and I've been using sekey on it for a about a year now, but since I upgraded from Big Sur to Monterey I haven't been able to get it to authenticate at all.

    From the SSH end, everything is fine until the signing: debug1:

    Next authentication method: publickey
    debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:<VALID_FINGERPRINT_HERE> agent
    debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:<VALID_FINGERPRINT_HERE> agent
    sign_and_send_pubkey: signing failed for ECDSA "ecdsa-sha2-nistp256" from agent: communication with agent failed
    

    If I run sekey as debug RUST_LOG=debug sekey --daemon I get:

    Pipe deleted
    binding to /Users/f8/.sekey/ssh-agent.ssh
    DEBUG:ssh_agent::agent: handling new connection
    DEBUG:ssh_agent::protocol: reading request
    DEBUG:ssh_agent::agent: request: RequestIdentities
    DEBUG:ssh_agent::agent: handler: Identities([Identity { key_blob: [KEY_BLOB_DATA], key_comment: "ecdsa-sha2-nistp256" }])
    DEBUG:ssh_agent::protocol: reading request
    DEBUG:ssh_agent::agent: request: SignRequest { pubkey_blob: [KEY_BLOB_DATA], data: [DATA_BLOB], flags: 0 }
    DEBUG:ssh_agent::agent: handler: Error { details: "Key not found" }
    

    Everything looks good in the enclave:

     ~ sekey -l
    ┌───────────────────────┬──────────────────────────────────────────────────┐
    │         Label         │                        ID                        │
    ├───────────────────────┼──────────────────────────────────────────────────┤
    │     Kadin SSH Key     │     A_BIG_ID_NUMBER                              │
    └───────────────────────┴──────────────────────────────────────────────────┘
    ➜  ~ sekey -e A_BIG_ID_NUMBER                         
    ecdsa-sha2-nistp256 PUBLIC_KEY_THAT_MATCHES_FINGERPRINT
    

    I've tried reinstalling, rebooting, and everything short of deleting my key from the enclave (because that will be a pain).

    When the errors above occur, I am never prompted to use touch ID. Touch ID is working in other apps post upgrade, but I did notice that the dialog design changed a bit.

    I'm mostly wondering if anyone else has run into this post-moneterey-upgrade before I try something drastic like nuking my key and starting over.

    opened by buddyw 6
  • Small changes to fix some warnings

    Small changes to fix some warnings

    I found some warnings when I built the project (rustc 1.49-beta3 on MacOS BigSur).

    One of them seems to be because the use of env:home_dir is deprecated in favour (so far) of the 'home' crate with the same function name. The other warning appears to be because write_all can return an error if an individual write fails, which means the code was ignoring a result, so I added an 'expect' to each of the write_all calls.

    opened by frumioj 0
  • Add support for unlocking private keys with Apple Watch

    Add support for unlocking private keys with Apple Watch

    This is a feature request to allow authorizing of SeKey key signing operations with an active paired Apple Watch in addition to the Biometric sensors offered by current Macbooks. This would be useful for people who have their laptop closed during use, such as while using a dock/external monitor. Otherwise keys managed by SeKey are unusable due to TouchID being unavailable with the screen closed, and FaceID not yet being a feature that I'm aware of for Macs (though the API exists).

    I believe it should be possible to permit users with paired Apple Watches to use them to authenticate use of SSH keys by adding this constraint - https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/3042482-watch around here: https://github.com/sekey/sekey/blob/master/src/keychain.rs#L369

    Perhaps allowing its use could be dictated by a flag to the daemon.

    I tried getting the code to build locally to add this, but I can't get it to work for me once built + signed, it simply can't access keys - I'm not familiar enough with Rust or the OSX development environment to sort it out currently, I'm afraid.

    Also of note, the existing constraint in use is deprecated as mentioned here: https://github.com/sekey/sekey/issues/26#issuecomment-652753697

    opened by craSH 2
Owner
SeKey
SeKey
Authoscope is a scriptable network authentication cracker.

authoscope authoscope is a scriptable network authentication cracker. While the space for common service bruteforce is already very well saturated, yo

null 330 Aug 31, 2022
Secure drive wipe

Lethe A secure, free, cross-platform and open-source drive wiping utility. Should work with any HDD, SSD (read limitations) and flash drives. The usua

Konstantin Alexandroff 64 Sep 20, 2022
Secure multithreaded packet sniffer

sniffglue sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Projec

null 885 Sep 22, 2022
Secure transport for running MPC protocols backed by Signal

MPC over Signal Overview This library provides a high-level interface for connecting to Signal Server and using it to exchange messages with other con

[ZenGo X] 34 Sep 12, 2022
Secure sandboxing system for untrusted code execution

Godbox Secure sandboxing system for untrusted code execution. It uses isolate which uses specific functionnalities of the Linux kernel, thus godbox no

Nathanael Demacon 17 Aug 2, 2022
Cross-platform Secure TUI Secret Locker

SafeCloset keeps your secrets in password protected files. SafeCloset is designed to be convenient and avoid common weaknesses like external editing or temporary files written on disk.

Canop 57 Aug 17, 2022
Secure and fast microVMs for serverless computing.

Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads. Read more about the Firecracker Charter

firecracker-microvm 19.5k Sep 28, 2022
Secure storage for cryptographic secrets in Rust

secrets secrets is a library to help Rust programmers safely held cryptographic secrets in memory. It is mostly an ergonomic wrapper around the memory

Stephen Touset 151 Sep 2, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
Use Touch ID / Secure Enclave for SSH Authentication!

SeKey About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave

SeKey 2.3k Sep 27, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 293 Sep 22, 2022
ssh-box: use ssh keys to encrypt files

ssh-box: use ssh keys to encrypt files work in progress ssh-box file format A file encrypted by ssh-box is an ASCII-armored binary file. The binary co

Tony Finch 3 Jun 27, 2022
This PAM module provides ssh-agent based authentication

PAM-RSSH This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers.

Yuxiang Zhang 15 Aug 18, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Sep 21, 2022
Utilities for interacting with the Behringer X-Touch Mini MIDI controller

xtouchmini Collection of utilities for interacting with the Behringer X-Touch Mini MIDI controller, including reading button/knob/fader inputs and sen

null 5 Nov 11, 2021
Recognize gestures by touch events

Gesture Recognizer This crate provides abstract API to recognize and handle simple gestures. At now three type of gestures are supported: Move by one

ilya sheprut 4 Jul 24, 2021
A translator interface between VoiceMeeter/VBAN and the X-Touch

VBAN -> XCtrl translator This serves as a network based translator for interfacing the Behringer X-Touch with VoiceMeeter Potato. It is designed to ru

Ollie Nye 4 Sep 3, 2022
A safe implementation of the secure remote password authentication and key-exchange protocol (SRP), SRP6a and legacy are as features available.

Secure Remote Password (SRP 6 / 6a) A safe implementation of the secure remote password authentication and key-exchange protocol (SRP version 6a). Ver

Sven Assmann 10 Aug 1, 2022
ARM TrustZone-M example application in Rust, both secure world side and non-secure world side

ARM TrustZone-M example application in Rust, both secure world side and non-secure world side; projects are modified from generated result of cortex-m-quickstart.

null 43 Aug 13, 2022
User-friendly secure computation engine based on secure multi-party computation

CipherCore If you have any questions, or, more generally, would like to discuss CipherCore, please join the Slack community. See a vastly extended ver

CipherMode Labs 341 Sep 15, 2022