Skip to content
/ sekey Public

Use Touch ID / Secure Enclave for SSH Authentication!

License

Notifications You must be signed in to change notification settings

sekey/sekey

Repository files navigation

SeKey

Build Status MIT Licensed

SeKey

About

SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave

How it Works?

The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it. You receive only the output of these operations, such as encrypted data or a cryptographic signature verification outcome.

Limitations

  • Only support MacBook Pro with the Touch Bar and Touch ID
  • Can’t import preexisting key
  • Stores only 256-bit elliptic curve private key

Install

Homebrew

Unfortunately, I can't make a Homebrew formula because KeyChain API requires entitlements, so the binary has to be signed to work, still you can use Homebrew Cask

Homebrew Cask

  1. Install Sekey
brew cask install sekey
  1. Append the following line to your ~/.bash_profile or ~/.zshrc
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

or

  1. Add the following line you your ~/.ssh/config or /etc/ssh/ssh_config
IdentityAgent ~/.sekey/ssh-agent.ssh

Pkg Installer

  1. Go to Releases and download the pkg release
  2. Install the application using the pkg.
  3. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/Applications/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Manual Installation

  1. Go to Releases and download the zip release
  2. Place the App in the Applications folder.
  3. Go to ~/Library/LaunchAgents
  4. Create the file com.ntrippar.sekey.plist
  5. Paste the following into the file and fix the path of the sekey binary:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.ntrippar.sekey</string>
    <key>ProgramArguments</key>
    <array>
        <string>/absolute/path/to/SeKey.app/Contents/MacOS/sekey</string>
        <string>--daemon</string>
    </array>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>
  1. Fix permissions
chown youruser:staff /absolute/path/to/SeKey.app/Contents/MacOS/sekey
  1. Load the agent to the user account:
launchctl load -F ~/Library/LaunchAgents/com.ntrippar.sekey.plist
  1. Set enviroment variables and fix the path of sekey folder.
export PATH=$PATH:/path/to/SeKey.app/Contents/MacOS
export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh

Usage

For the help menu:

ntrippar@macbookpro:~% sekey -h
SeKey 1.0
Nicolas Trippar <ntrippar@gmail.com>
Use Secure Enclave for SSH Authentication

USAGE:
    sekey [FLAGS] [OPTIONS]

FLAGS:
        --daemon       Run the daemon
    -h, --help         Prints help information
        --list-keys    List all keys
    -V, --version      Prints version information

OPTIONS:
        --delete-keypair <ID>         Deltes the keypair
        --export-key <ID>             export key to OpenSSH Format
        --generate-keypair <LABEL>    Generate a key inside the Secure Enclave

Examples

Create KeyPair inside the Secure Enclave:

ntrippar@macbookpro:~% sekey --generate-keypair "Github Key"
Keypair Github Key sucessfully generated

List keys in the secure enclave:

ntrippar@macbookpro:~% sekey --list-keys

┌────────────────────┬──────────────────────────────────────────────────┐
│       Label        │                        ID                        │
├────────────────────┼──────────────────────────────────────────────────┤
│     Github Key     │     d179eb4c2d6a242de64e82240b8b6e611cf0d729     │
└────────────────────┴──────────────────────────────────────────────────┘

Export public key to OpenSSH format:

ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729
ecdsa-sha2-nistp25 AAAAEmVjZHNhLXNoYTItbmlzdHAyNQAAAAhuaXN0cDI1NgAAAEEE8HM7SBdu3yOYkmF0Wnj/q8t2NJC6JYJWZ4IyvkOVIeUs6mi4B424bAjhZ4Awgk5ax9r25RB3Q8tL2/7J/3xchQ==

Delete Keypair:

ntrippar@macbookpro:~% sekey --delete-keypair d179eb4c2d6a242de64e82240b8b6e611cf0d729
Key d179eb4c2d6a242de64e82240b8b6e611cf0d729 sucessfully deleted

Use key for a specific host:

  1. export the public key from sekey and save it to a file
ntrippar@macbookpro:~% sekey --export-key d179eb4c2d6a242de64e82240b8b6e611cf0d729 > ~/.ssh/example.com.pub
  1. on the ssh config file located in ~/.ssh/config we should add a entry so the ssh only query that key for the given host
Host example.com
    IdentityFile ~/.ssh/example.com.pub
    IdentitiesOnly yes

How to Build

Build

Sekey is built with Cargo, the Rust package manager.

git clone https://github.com/ntrippar/sekey
cd sekey
cargo build --release

Sign

SeKey utilizes the KeyChain API on MacOS, for using it the app needs to be signed and have the correct entitlements.

You need to change the sign parameter to match your own signing key

Listing keys

security find-identity -v -p codesigning

Sign

codesign --force --identifier "com.ntrippar.sekey" --sign "Developer ID Application: Nicolas Trippar (5E8NNEEMLP)" --entitlements ./assets/sekey.entitlements --timestamp=none ./bundle/SeKey.app

Package

cp ./target/release/sekey ./bundle/Applications/SeKey.app/Contents/MacOS/sekey

if needed to create a pkg installer

pkgbuild --analyze --root ./bundle/ SeKey.plist

pkgbuild --sign "Developer ID Installer: Nicolas Trippar (5E8NNEEMLP)" --identifier com.ntrippar.sekey --root ./bundle/ --scripts ./install-scripts --component-plist ./Sekey.plist ./sekey.pkg

Contribute

Members of the open-source community are encouraged to submit pull requests directly through GitHub.

About

Use Touch ID / Secure Enclave for SSH Authentication!

Resources

License

Stars

Watchers

Forks

Packages

No packages published