Unlocking private key using biometric token
Marco Trevisan
marco at ubuntu.com
Mon Jun 16 23:45:25 AEST 2025
Hi
On giu 16 2025, at 2:13 pm, Márton Gunyhó <marci at gunyho.com> wrote:
> On 2025-06-16 20:57, Brian Candler wrote:
>> What kind of laptop? I believe this works out-of-the-box using macOS
>> keychain, but I don't know about Linux / *BSD / Windows.
>
> I'm using a Framework 13 laptop with Fedora Linux. For example, when I
> run a command as sudo, it prompts me for the fingerprint, and this
> works
> well. The sudo fingerprint auth is through PAM AFAIK.
Speaking here with the fingerprint stack maintainer hat here, and indeed
all this only goes through PAM.
The problem is that fprintd nor any other fingerprint-related daemon has
ever implemented support to protect a key that can be used to decrypt
other keys, such as SSH keys or keyring ones.
The reason for that is due to the fact that we just ended up having
security through obscurity, rather than having a secure framework that
we could refer to to unlock system-related credentials.
TPM changes a bit this and systemd tools too, and we were actually
discussing this recently (again) for other reasons, but they would apply
to this situation too [1].
In the short run I feel one thing we may do is to make ssh-agent to only
use fprintd (it needs to go through fprintd DBus APIs, PAM or
`fprintd-verify`) every time the agent requires to provide the key, so
to enforce the security, but not to make it unlock the secret when you
use `ssh-add`.
Cheers
[1]
https://gitlab.gnome.org/Teams/Design/os-mockups/-/issues/220#note_2469252
More information about the openssh-unix-dev
mailing list