Oookay. So the minimal reproducer would be: ``` # Add the key
``` sudo usermod -a -G tss $USER tpm2_ptool init tpm2_ptool addtoken --pid=1 --label=ssh --userpin=MySecretPassword --sopin=MyRecoveryPassword tpm2_ptool addkey --label=ssh --userpin=MySecretPassword --algorithm=rsa2048 ```
# List the public SSH keys
``` ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null ```
Those warnings/errors are displayed, but can be ignored from what I can understand (see https://github.com/tpm2-software/tpm2-pkcs11/issues/655):
``` WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. ```
# Add the SSH key authorized_keys
Add this key to root's authorized keys:
``` ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so 2>/dev/null | sudo tee -a /root/.ssh/authorized_keys ```
# SSH as root
Pin is `MySecretPassword`:
``` ssh -I /usr/local/lib/libtpm2_pkcs11.so root@localhost ```
Observe the error. ```
Oookay. So the minimal reproducer would be:
```
# Add the key
``` MySecretPasswor d --sopin= MyRecoveryPassw ord MySecretPasswor d --algorithm=rsa2048
sudo usermod -a -G tss $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=
tpm2_ptool addkey --label=ssh --userpin=
```
# List the public SSH keys
``` lib/libtpm2_ pkcs11. so 2>/dev/null
ssh-keygen -D /usr/local/
```
Those warnings/errors are displayed, but can be ignored from what I can understand (see https:/ /github. com/tpm2- software/ tpm2-pkcs11/ issues/ 655):
``` fapi:src/ tss2-fapi/ api/Fapi_ List.c: 226:Fapi_ List_Finish( ) Profile of path not provisioned: /HS/SRK src/tss2- fapi/api/ Fapi_List. c:81:Fapi_ List() ErrorCode (0x00060034) Entities_List
WARNING:
ERROR:fapi:
ERROR: Listing FAPI token objects failed.
```
# Add the SSH key authorized_keys
Add this key to root's authorized keys:
``` lib/libtpm2_ pkcs11. so 2>/dev/null | sudo tee -a /root/. ssh/authorized_ keys
ssh-keygen -D /usr/local/
```
# SSH as root
Pin is `MySecretPassword`:
``` lib/libtpm2_ pkcs11. so root@localhost
ssh -I /usr/local/
```
Observe the error.
```