Bugzilla – Bug 1212539
Wrong directory permissions for tss group prevent using TPM2 for SSH as non-root user
Last modified: 2023-07-07 15:08:35 UTC
The user is part of the tss group, but there seem to be some permissions set wrong, so the user can't use the tpm as described eg. here: https://blog.ledger.com/ssh-with-tpm/ $ ssh -I /usr/lib64/pkcs11/libtpm2_pkcs11.so server5 WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /var/lib/tpm2-tss/system/ ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /var/lib/tpm2-tss/system/keystore/policy ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /var/lib/tpm2-tss/system/keystore/policy can't be created. ERROR:fapi:src/tss2-fapi/ifapi_policy_store.c:115:ifapi_policy_store_initialize() ErrorCode (0x0006000b) Policy directory /var/lib/tpm2-tss/system/keystore/policy can't be created. ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:218:Fapi_Initialize_Finish() ErrorCode (0x0006000b) Keystore could not be initialized. WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ERROR: Could not open lock file "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.lock", error: Permission denied WARNING: ESYSDB backend was not initialized. ERROR: Neither FAPI nor ESYSDB backends could be initialized. C_Initialize for provider /usr/lib64/pkcs11/libtpm2_pkcs11.so failed: 5 dheidler@server5: Permission denied (publickey). Getting the public key from the tpm also doesn't work unless done as root and even then there are a number of warnings printed: $ ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /var/lib/tpm2-tss/system/ ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /var/lib/tpm2-tss/system/keystore/policy ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /var/lib/tpm2-tss/system/keystore/policy can't be created. ERROR:fapi:src/tss2-fapi/ifapi_policy_store.c:115:ifapi_policy_store_initialize() ErrorCode (0x0006000b) Policy directory /var/lib/tpm2-tss/system/keystore/policy can't be created. ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:218:Fapi_Initialize_Finish() ErrorCode (0x0006000b) Keystore could not be initialized. WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ERROR: Could not open lock file "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.lock", error: Permission denied WARNING: ESYSDB backend was not initialized. ERROR: Neither FAPI nor ESYSDB backends could be initialized. C_Initialize for provider /usr/lib64/pkcs11/libtpm2_pkcs11.so failed: 5 cannot read public key from pkcs11 # ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List WARNING: Listing FAPI token objects failed: "fapi:Provisioning was not executed." Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: Getting tokens from fapi backend failed. ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBHjl6dXmkqoFcCAv0zixY1S/Nvq7/NOYfzKq9JhN7S1nksJtk18hcuWB+LK7qHcC84P6swNRnclcCHhz2Yzskk= ssh server access key