Unlocking private key using biometric token

Brian Candler b.candler at pobox.com
Mon Jun 16 22:40:15 AEST 2025


On 16/06/2025 13:19, hvjunk wrote:
> Look at the ssh-agent providers, they are the ones to implement this behaviour

That might be a reasonable compromise. The key would be held decrypted 
in RAM (i.e. you type the passphrase once to get it into the agent), but 
the agent has a policy that says it won't allow use of the key unless 
you present a fingerprint.

When adding the key to ssh-agent, you'd use the "-c" flag:

      -c      Indicates that added identities should be subject to 
confirmation before being used for authentication.  Confirmation is 
performed by
              ssh-askpass(1).  Successful confirmation is signaled by a 
zero exit status from ssh-askpass(1), rather than text entered into the 
requester.

Therefore the last piece of the puzzle is a version of ssh-askpass with 
fingerprint reader check; if you can't find this ready-made, you may be 
able to cobble it together.

However, the communication between ssh-agent and ssh-askpass can easily 
be spoofed by someone with shell access to your laptop. Therefore, how 
useful this is in practice depends on your threat model.


More information about the openssh-unix-dev mailing list