TPM keys and user presence

[Anton Khirnov]

Hi all,
I am currently looking into the use of TPM-based keys on my laptop for
SSH authentication. One aspect that bugs me is that AFAIU either
- I have to enter the PIN on every use, which is highly inconvenient and
  increases the likelihood the entry will be observed (e.g. in a public
  environment with cameras)
- the key is in the agent and PIN is not required, then any program that
  can access the agent can silently SSH all it wants

I quite like the "presence" functionality in FIDO2 tokens, where I need
to press the button on the token in order to use the key, ideally I'd
like to set up something analogous with TPM. Other possibilities that
come to mind are
- re-enter the PIN after N uses; does TPM have a counter that could be
  used for this? or perhaps ssh-agent?
- show a desktop notification on (every Nth?) use

I am aware of the ssh-add -t option, which sort of works in this
direction, but it is not exactly what I want, since
- it is time-based rather than use-based
- after a key expires I have to re-add it, which is more hassle than
  just re-entering the PIN

Thoughts and advice on this matter would be highly appreciated.

Cheers,
-- 
Anton Khirnov