HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

This command creates two files: output_file and output_file.pub. The output_file

file contains a key blob with an RSA key pair; the private key is encrypted by the TPM RK. The

output_file.pub contains the public key in SSH v2 format. You will need the

output_file.pub file to manually distribute the server's public key if any SSH clients have

StrictHostKeyChecking set to yes. For more information, see “Step 5: Distributing and

Installing the SSH Server Public Key” (page 59).

The RSA key pair has the following characteristics:

• Public exponent value: 65537.

• Key length: 2048 bits. To specify an alternate key length, use the -k key_size option, as

described in tpmcreate(1).

• Passphrase: None. This enables you to start the sshd daemon without operator intervention.

The private key is encrypted by the TCS Roaming Key (RK).

To specify a passphrase, use the -a option. The tpmcreate utility will attempt to use the

value of the TCS_PASS environment variable for the passphrase. If TCS_PASS is not set,

tpmcreate prompts you for the passphrase.

If you create a key pair with passphrase protection, the TPM engine will require the

passphrase when the sshd daemon starts. The TPM engine will attempt to use the value of

the TCS_PASS environment variable for the passphrase. If TCS_PASS is not set, the engine

issues a prompt to the controlling terminal. If the value of TCS_PASS or the response to the

prompt is incorrect, the engine immediately terminates the sshd daemon.

See tpmcreate(1) for more information.

For example:

# tpmcreate -s /etc/opt/tcs/mySSHKeyblob

Step 2: Determining the TPM OpenSSL Engine Library for SSH

The TPM OpenSSL engine library file you need for sshd daemon is based on the version of the

OpenSSL libcrypto library sshd uses and its compiler data model. Use the procedures

described in “Determining the OpenSSL Version of an Application” (page 44) and “Determining

the Compiler Data Model” (page 45) to determine these attributes and select the appropriate

library from Table 5-1 (page 44).

Step 3: Modifying the sshd Configuration File

You must modify the sshd configuration file with new keywords and values to specify the

TPM-protected private key and OpenSSL configuration information. TCS includes the file /opt/

tcs/misc/sshd_config_tpm with the new keywords. You can modify this file or add the

new keywords and values to an existing sshd configuration file, such as /opt/ssh/etc/

sshd_config. The new keywords are as follows:

EngineHostRSAKey

Specifies the path to the TPM-protected key blob file created with

the tpmcreate command.

Default: None. You must specify this keyword and a value for the

keyword to use TCS with SSH.

EngineConfigFile

Specifies the OpenSSL configuration file containing the directives

necessary to load and initialize the OpenSSL engine.

Default: /opt/ssh/etc/server.cnf. For many OpenSSL

installations, this is also the default location of the configuration

file for OpenSSL utilities. If you want to keep OpenSSL TCS

information in a standalone OpenSSL configuration file, change

the value of this parameter to different file name, such as /opt/

ssh/etc/server_info_for_tpm.cnf.

Step 2: Determining the TPM OpenSSL Engine Library for SSH 57