Unlocking private key using biometric token
Márton Gunyhó
marci at gunyho.com
Mon Jun 16 22:13:28 AEST 2025
On 2025-06-16 20:57, Brian Candler wrote:
> What kind of laptop? I believe this works out-of-the-box using macOS
> keychain, but I don't know about Linux / *BSD / Windows.
I'm using a Framework 13 laptop with Fedora Linux. For example, when I
run a command as sudo, it prompts me for the fingerprint, and this works
well. The sudo fingerprint auth is through PAM AFAIK.
> A fingerprint is never used as an encryption key. ... The private key
> is stored in a secure enclave, and the secure enclave permits crypto
> operations using that key when the appropriate fingerprint or PIN is
> presented to it. Hence there's quite a lot of integration required.
I see, makes sense. I guess OpenSSH doesn't have this integration on Linux?
> For a self-contained solution which is platform-agnostic look at
> Yubikey Bio. The readily-available FIDO version should work with SSH
> using U2F keys (ecdsa_sk).
The Yubikey looks alright, but I would like to use the built-in
fingerprint reader. I tried to create a key with ssh-keygen -t ecdsa-sk
but that just says "Key enrollment failed: device not found".
More information about the openssh-unix-dev
mailing list