search

Foxboron / ssh-tpm-agent

:computer: :key: ssh-agent for TPMs
MIT License
354 stars 20 forks source link

agent 13: failed getting handle: TPM_RC_INTEGRITY (parameter 1): integrity check failed #55

Closed nl6720 closed 4 months ago

nl6720 commented 4 months ago

After upgrading to ssh-tpm-agent 0.5.0-1, none of the existing keys (originally created with ssh-keygen and imported) can be used.

ssh-tpm-agent -d shows:

time=2024-06-24T16:54:18.806+03:00 level=INFO msg="Warning: ssh-tpm-agent is meant to run as a background daemon."
time=2024-06-24T16:54:18.806+03:00 level=INFO msg="Running multiple instances is likely to lead to conflicts."
time=2024-06-24T16:54:18.806+03:00 level=INFO msg="Consider using a systemd service."
time=2024-06-24T16:54:18.807+03:00 level=INFO msg="Listening on socket" path=/run/user/1000/ssh-tpm-agent.sock
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="called loadkeys"
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/username/.ssh/authorized_keys
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/username/.ssh/config
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/username/.ssh/id_ecdsa-TEST.pub
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="added TPM key" name=/home/username/.ssh/id_ecdsa-TEST.tpm
time=2024-06-24T16:54:18.807+03:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/username/.ssh/known_hosts

Running a ssh command using the key shows:

sign_and_send_pubkey: signing failed for ECDSA "/home/username/.ssh/id_ecdsa-TEST.pub" from agent: agent refused operation

ssh-tpm-agent:

time=2024-06-24T16:54:23.038+03:00 level=DEBUG msg="called extensions"
time=2024-06-24T16:54:23.038+03:00 level=DEBUG msg="called list"
time=2024-06-24T16:54:23.081+03:00 level=DEBUG msg="called signwithflags"
time=2024-06-24T16:54:23.323+03:00 level=INFO msg="agent 13: failed getting handle: TPM_RC_INTEGRITY (parameter 1): integrity check failed"

Using ssh-tpm-agent 0.5.0-1

nl6720 commented 4 months ago

Oh, this is documented in the changelog!

https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.5.0

So please recreate any keys you have made with previous releases.

Foxboron commented 4 months ago

It would be very hit and miss to detect old keys so it's better to just make this a clean slate.

The error could have been better though.