TPM: Difference between revisions

Line 30:

<syntaxhighlight>PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so</syntaxhighlight>To load your ssh key into the running <code>ssh-agent</code>, use <code>ssh-add -s</code>:<syntaxhighlight lang="bash">

ssh-add -s /run/current-system/sw/lib/libtpm2_pkcs11.so

</syntaxhighlight>Note that ~~since OpenSSH 8.9~~, <code>ssh-agent</code> ~~enforces a~~ PKCS#11 ~~provider~~ whitelist. You may need to start the agent with the <code>-P</code> flag to allow the ~~NixOS~~ library paths:<syntaxhighlight lang="bash">

</syntaxhighlight>Note that by default, <code>ssh-agent</code> refuses to load PKCS#11 modules outside a whitelist of trusted paths, and <code>/nix/store</code> paths are not included in this default list. You may need to start the agent with the <code>-P</code> flag to allow the library paths:<syntaxhighlight lang="bash">

ssh-agent -P "/run/current-system/sw/lib/*,/nix/store/*/lib/*"

</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">

</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">programs.ssh = {

programs.ssh = {

startAgent = true;

agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*,/run/current-system/sw/lib/*";

};

};</syntaxhighlight>

</syntaxhighlight>

== Frequently Asked Questions ==

@@ Line 30: / Line 30: @@
 <syntaxhighlight>PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so</syntaxhighlight>To load your ssh key into the running <code>ssh-agent</code>, use <code>ssh-add -s</code>:<syntaxhighlight lang="bash">
 ssh-add -s /run/current-system/sw/lib/libtpm2_pkcs11.so
-</syntaxhighlight>Note that since OpenSSH 8.9, <code>ssh-agent</code> enforces a PKCS#11 provider whitelist. You may need to start the agent with the <code>-P</code> flag to allow the NixOS library paths:<syntaxhighlight lang="bash">
+</syntaxhighlight>Note that by default, <code>ssh-agent</code> refuses to load PKCS#11 modules outside a whitelist of trusted paths, and <code>/nix/store</code> paths are not included in this default list. You may need to start the agent with the <code>-P</code> flag to allow the library paths:<syntaxhighlight lang="bash">
 ssh-agent -P "/run/current-system/sw/lib/*,/nix/store/*/lib/*"
-</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">
+</syntaxhighlight>For a persistent setup, you can configure the system-wide agent in your <code>configuration.nix</code>: <syntaxhighlight lang="nixos">programs.ssh = {
-programs.ssh = {
    startAgent = true;
    agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/*,/run/current-system/sw/lib/*";
-};
+};</syntaxhighlight>
-</syntaxhighlight>
 == Frequently Asked Questions ==