Thursday, March 9, 2023

Using Trusted Platform Module (TPM) backed certificates for Secure Shell (SSH)

Trusted Platform Modules are awesome devices for storing & securing credential material.

Googling around I found a great write-up for a non-enterprise environment (note: self-signed/ephemeral CA's are used to get a 10-year certificate). That article is found here:

Windows SSH client with TPM (habets.se)


However, after following the instructions I've still experienced troubles getting PuTTY Common Access Card (PuTTY-CAC) to successfully login to machines. Receiving an error of "Server refused public-key signature despite accepting key!"

Modifying the sshd_config on a server to set a LogLevel of DEBUG & monitoring /var/log/auth.log during an authentication cycle seems to indicate the key will be accepted, but then the connection closes. This led me to believe that the issue was in the configuration of the client with the TPM. To be honest, I didn't know much about how any of it works. In fact, I still don't. But research & trying stuff out took me to read articles like this:
Microsoft Cryptographic Service Providers - Win32 apps | Microsoft Learn

Listing Cryptographic Service Providers can be done using the "-csplist" switch using (certutil). Note: this isn't clearly documented as an option!

Experimentally I discovered that instead of using the proposed "Microsoft Base Smart Card Crypto Provider" using the Provider name:
ProviderName = "Microsoft Smart Card Key Storage Provider"


Let's me complete all of the steps and successfully connect to servers without error. I think the issue is that the base crypto provider is not correctly signing challenges. But, of course, I have no idea. But this has worked for me!