Unlocking private key using biometric token
Brian Candler
b.candler at pobox.com
Mon Jun 16 22:40:15 AEST 2025
On 16/06/2025 13:19, hvjunk wrote:
> Look at the ssh-agent providers, they are the ones to implement this behaviour
That might be a reasonable compromise. The key would be held decrypted
in RAM (i.e. you type the passphrase once to get it into the agent), but
the agent has a policy that says it won't allow use of the key unless
you present a fingerprint.
When adding the key to ssh-agent, you'd use the "-c" flag:
-c Indicates that added identities should be subject to
confirmation before being used for authentication. Confirmation is
performed by
ssh-askpass(1). Successful confirmation is signaled by a
zero exit status from ssh-askpass(1), rather than text entered into the
requester.
Therefore the last piece of the puzzle is a version of ssh-askpass with
fingerprint reader check; if you can't find this ready-made, you may be
able to cobble it together.
However, the communication between ssh-agent and ssh-askpass can easily
be spoofed by someone with shell access to your laptop. Therefore, how
useful this is in practice depends on your threat model.
More information about the openssh-unix-dev
mailing list