Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
51525354555657585960
6 Using TCS RSA Keys with HP-UX Secure Shell
This chapter describes how to use TCS RSA keys for HP-UX Secure Shell server authentication.
This chapter addresses the following topics:
“Overview” (page 55)
“Configuring SSH Servers to Use TCS Keys” (page 56)
“Step 1: Creating a TCS RSA Key Pair for SSH” (page 56)
“Step 2: Determining the TPM OpenSSL Engine Library for SSH” (page 57)
“Step 3: Specifying Engine Information for the Application” (page 45)
“Step 4: Installing and Modifying the OpenSSL Configuration File” (page 58)
“Step 5: Distributing and Installing the SSH Server Public Key” (page 59)
“Step 6: Resetting the sshd Daemon” (page 59)
“Examples” (page 59)
“Backing Up Keys” (page 60)
Overview
HP-UX Secure Shell versions A.05.00.029 and later include an engine-enabled sshd daemon that
can use a TPM-protected RSA private key for server authentication. You must configure sshd
to load the appropriate TCS OpenSSL engine library and use the TCS tpmcreate utility to create
the TCS RSA key pair.
Using TCS to protect SSH server keys provides the following benefits:
Hardware-based encrypted storage for SSH server keys
TCS encrypts the RSA private key with the TPM Roaming Key (RK). For added security,
TCS also supports passphrase protection for the private key, but the private key is stored
in encrypted format whether or not passphrase protection is used. This feature is useful if
you want to store SSH server keys without passphrases so the sshd daemon can start without
requiring an administrator to enter a passphrase, but you do not want to store the server
keys in cleartext.
The TPM-protected private key is never exposed in cleartext. When sshd needs to encrypt
or decrypt data with the private key, the data and encrypted private key are loaded into the
TPM. TCS uses the procedure described in “Chain of Protection” (page 17) to access the
private key and then encrypt or decrypt the data using the TPM's internal processor. The
private RSA key is not exposed in cleartext during these operations.
Platform identity
Because TPM-protected RSA keys can be decrypted and used only on the platform with the
TPM containing the data used to encrypt it, the corresponding public key is bound to the
specific server and TPM containing the parent RK. If an SSH client verifies data encrypted
with a TPM-protected RSA private key as part of the server authentication exchange, the
client is assured that the server using the private key to encrypt the data is on the platform
with the same TPM used to protect the private key.
Transparent compatibility for clients
The corresponding public key of a TPM-protected RSA private key is no different than an
RSA public key created without TCS. The public key can be used by SSH clients with no
changes. You do not need to install TCS on the peer nodes.
The tpmcreate Utility
The tpmcreate utility is similar to the HP-UX Secure Shell ssh-keygen utility. The tpmcreate
utility creates a key blob (opaque object) that contains the RSA key pair, protected by the TPM
Overview 55