SSH Certificates and Keys in Apple T2 On-host

Tommy
October 14 2020

Key Takeaways

  • SSH certificates can be used with the Apple T2 chip on macOS as an alternative to external smart cards, authenticated with a fingerprint per session.
  • The Mac T2 chip serves as an extra security layer by creating private keys in the secure enclave.
  • The CA can be stored on an external smartcard, only signing for access in a limited period - again limiting the exposure.

Introduction

Over the past days I have been going down a deep, deep rabbit hole of SSH proxy jumping and SSH certificates combined with smart cards.

After playing around with smart cards for SSH, I recognized that not only external smart cards such as the Yubikey or Nitrokey is a possible lane to go down.

Mac computers comes with a security chip called T2. This chip is also known to host something Apple calls Secure Enclave [1]. In the Secure Enclave you can store keys.

It will probably not serve as an equally secure solution as with external smart cards, but it is a better balance for usability.

The T2 is permanently stored in hardware on one host only, so the access needs to be signed on a per-host basis. In such I would say the T2 and external smart cards complement each other.

Always having the key available will bring two additional vulnerabilities:

  • If compromised, the key is always available logically
  • Separation of equipment and key is not possible e.g. in a travel situation

With a central pubkey directory tied to an identity (automated), the T2 can be of better use for an enterprise setup.

Setting up a Private Key in Secure Enclave

While fiddling around I found sekey on Github [2]. The project seems abandoned, but it is the secure enclave that does the heavy lifting.

The short and easy setup are:

$ brew cask install sekey
$ echo "export SSH_AUTH_SOCK=$HOME/.sekey/ssh-agent.ssh" >> ~/.zshrc
$ echo "IdentityAgent ~/.sekey/ssh-agent.ssh" >> ~/.ssh/config
$ source ~/.zshrc

A keypair can now be generated in the secure enclave by:

$ sekey --generate-keypair SSH
$ sekey --list-keys

Now export the public key of the curve generated on-chip:

$ sekey --export-key <id> > id_ecdsa.pub

Using the trick we found in our recent venture into using smart cards for signing the key, we can used PCKS#11 without compromising security [3]. In this case I use a Nitrokey:

$ brew cask install opensc
$ PKCS11_MODULE_PATH=/usr/local/lib/opensc-pkcs11.so
$ ssh-keygen -D $PKCS11_MODULE_PATH -e > ca.pub
$ ssh-keygen -D $PKCS11_MODULE_PATH -s ca.pub -I example -n zone-web -V +1h -z 1 id_ecdsa.pub
Enter PIN for 'OpenPGP card (User PIN)': 
Signed user key id_ecdsa-cert.pub: id "example" serial 1 for zone-web valid from 2020-10-14T20:26:00 to 2020-10-14T21:27:51
cp id_ecdsa-cert.pub ~/.ssh/

If you now try to ssh into a server using the given certificate authority as shown in the SSH-CA post [3], access should be granted with a fingerprint.

A Word of Caution

The T2 has some vulnerabilities shown recently [4]. Make sure to include these in your risk assessment of using it. If you won’t go down the smart card route it will still be better than storing the key on disk.

[1] https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web
[2] https://github.com/sekey/sekey
[3] https://secdiary.com/2020–10–13-ssh-ca-proxyjump.html
[4] https://inks.cybsec.network/tag/t2

Tags: #architecture #ssh #apple #t2
Read with Gemini

Booting a Mac Mini (OCT 2014) with Debian 8.0

Tommy
February 06 2015

There are a lot of guides on booting Linux on an Mac Mini, and the Mac Mini is absolutely great. There’s also a lot of guides which takes some unnecessary steps on the way from the native OS X experience to the bloated, and difficult-to-setup Linux on OS X. Some of them are good on certain points though.

So, not surprising, I will tell you how to make it work with both a native EFI installation and the Broadcom BCM4366 up and running.

Everything will be done on the command line, so this will work great on servers as well. Of course you won’t run wifi on the work server though (!).

First, take note that this will wipe almost everything Apple from you box except the Firmware. You may roll back through pressing the ALT-key while booting.

Second, you should use Debian 8.0 “Jessie” (which is currently in RC1). This is important since Wheezy doesn’t support the Broadcom chipset.

Prerequisites for this article are:

  • A Mac Mini, tested on an OCT 2014 model
  • A keyboard
  • A USB memory stick of at least 2GB (speed is the key)

1. Install Debian - and Change Boot Order

You should create a bootable USB stick for your Debian installation. When you’ve downloaded the ISO, you can make it bootable without hassle through Unetbootin [1]. That one works on OS X 10.10 “Yosemite” as well.

When you’ve got that one ready insert it into the Mini, holding the ALT-key while booting. You will get to the boot menu, choose the “EFI” one. This will initiate GRUB from the stick.

Do the installation as you would on any other machine. Since your mac is still setup to boot to OS X, we need to change that next in order to make it point to the Debian installation instead.

When rebooting, get into the boot menu by holding the ALT-key again. Select that same GRUB menu again, BUT instead of choosing to install it you should now press “c” to get to the GRUB command line.

It is now time to locate the boot directory [2] on the right disk. Vary X (disk) and Y (partition table) until you find the right combination:

grub> ls (hdX,gptY)/boot/grub

That may for instance result in:

grub> ls (hd2,gpt2)/boot/grub

Set the root to that disk and partition table, and boot it:

grub> set root=(hd2,gpt2)
grub> ls -l (hd2,gpt2)
grub> linux /boot/vmlinux[...].efi.signed root=UUID=[uuid from above command]
grub> initrd /boot/initrd[...]
grub> boot

You will now boot to the one you just installed. It is time to make it persistent and change the boot order with efibootmgr. First list your current settings by:

sudo efibootmgr

Now change the boot order (may vary, point being that Debian should come first):

sudo efibootmgr -o 0,1

Now reboot and enjoy the darkness without wifi.

2. Get Wifi Up and Running (Offline)

The current Broadcom chipset is quite new, so you’ll need to step it up to Debian “Jessie” to get it working. Cutting this a bit short, you will probably need this part to be offline. Showing you a small trick you can get all those dependencies on a vmware installation (run the same image as the one you installed, remember to simulate that you don’t have network on that virtual installation):

apt-get -qq --print-uris install build-essential linux-headers-$(uname -r) broadcom-sta-dkms patch bzip2 wpasupplicant | cut -d\' -f 2 > urls.txt

This will produce a file of urls that are all the packages requested and its dependencies, get the stick, format it with FAT - and grab the packages to it:

wget -i urls.txt

Unmounting that from the virtual installation, insert it into the physical installation:

cd /mnt/usb
dpkg -i *.deb

Remove all modules that may conflict (and blacklist them in /etc/modprobe.d/blacklist.config):

modprobe -r b44 b43 b43legacy ssb brcmsmac

Load the Broadcom module:

modprobe wl
echo wl >> /etc/modules

Everything that’s left now is configuring and starting wpasupplicant:

wpa_passphrase <ssid> [passphrase] > /etc/wpa_supplicant.conf
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf

To make it persistent enable the interface in /etc/network/interfaces by appending:

auto wlan0
iface wlan0 inet dhcp
    wpa-conf /etc/wpa_supplicant.conf

If you have made an exception in your DHCP pool, you should also make it static (basic stuff, but anyways):

auto wlan0
iface wlan0 inet static
    wpa-conf /etc/wpa_supplicant.conf
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1

That’s basically it. Enjoy the show!

Edit 1, FEB 7th 2015: So I got to play with systemd, since it turns out a service isn’t a service the way it used to be. In order to start services in Debian “Jessie”, you’ll need to use systemd. Here’s an example for znc [3]:

[Unit]
Description=An advanced IRC bouncer
After=network.target oidentd.socket
     
[Service]
Type=simple
EnvironmentFile=/etc/conf.d/znc
User=znc
ExecStart=/usr/bin/znc -f $ZNC_OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
     
[Install]
WantedBy=multi-user.target 

Also create the directory and drop the following line into /etc/conf.d/znc: ZNC_OPTIONS="-d /var/lib/znc"

Edit 2, FEB 7th 2015: To enable the Mac Mini to auto-restart after power failure set the following PCI value [4]:

setpci -s 0:1f.0 0xa4.b=0

[1] http://unetbootin.sourceforge.net/
[2] http://askubuntu.com/questions/516535/how-can-i-use-the-installer-to-manually-boot-into-a-system-without-grub-installer
[3] https://gist.github.com/tlercher/3897561
[4] http://smackerelofopinion.blogspot.no/2011/09/mac-mini-rebooting-tweaks-setpci-s-01f0.html

Tags: #macmini #mac #apple #debian #boot #installation #os
Read with Gemini

This blog is powered by cl-yag and Tufte CSS!