TPM keys and user presence
Anton Khirnov
anton at khirnov.net
Sat Jul 5 15:52:59 AEST 2025
Hi all,
I am currently looking into the use of TPM-based keys on my laptop for
SSH authentication. One aspect that bugs me is that AFAIU either
- I have to enter the PIN on every use, which is highly inconvenient and
increases the likelihood the entry will be observed (e.g. in a public
environment with cameras)
- the key is in the agent and PIN is not required, then any program that
can access the agent can silently SSH all it wants
I quite like the "presence" functionality in FIDO2 tokens, where I need
to press the button on the token in order to use the key, ideally I'd
like to set up something analogous with TPM. Other possibilities that
come to mind are
- re-enter the PIN after N uses; does TPM have a counter that could be
used for this? or perhaps ssh-agent?
- show a desktop notification on (every Nth?) use
I am aware of the ssh-add -t option, which sort of works in this
direction, but it is not exactly what I want, since
- it is time-based rather than use-based
- after a key expires I have to re-add it, which is more hassle than
just re-entering the PIN
Thoughts and advice on this matter would be highly appreciated.
Cheers,
--
Anton Khirnov
More information about the openssh-unix-dev
mailing list