Unlocking private key using biometric token
Damien Miller
djm at mindrot.org
Tue Jun 17 08:58:40 AEST 2025
On Mon, 16 Jun 2025, Marco Trevisan wrote:
> In the short run I feel one thing we may do is to make ssh-agent to only
> use fprintd (it needs to go through fprintd DBus APIs, PAM or
> `fprintd-verify`) every time the agent requires to provide the key, so
> to enforce the security, but not to make it unlock the secret when you
> use `ssh-add`.
Note that, even if you do the above, the protection the fingerprint
provides to your private key material is only as strong as your OS'
security. If an attacker is able to elevate privilege then they
could steal the key material from the agent without your fingerprint.
Contrast with a biometrically-unlocked key held in say Apple's
TouchID or a biometric FIDO key, where a separate secure processor
with significantly less attack surface than a consumer OS is the
only thing that has access to the key material. Of course, these
can have serious bugs too...
-d
More information about the openssh-unix-dev
mailing list