Unlocking private key using biometric token

Damien Miller djm at mindrot.org
Tue Jun 17 20:02:53 AEST 2025


On Tue, 17 Jun 2025, Marco Trevisan wrote:

> On giu 17 2025, at 12:58 am, Damien Miller <djm at mindrot.org> wrote:
> 
> > On Mon, 16 Jun 2025, Marco Trevisan wrote:
> > 
> >> In the short run I feel one thing we may do is to make ssh-agent to only
> >> use fprintd (it needs to go through fprintd DBus APIs, PAM or
> >> `fprintd-verify`) every time the agent requires to provide the key, so
> >> to enforce the security, but not to make it unlock the secret when you
> >> use `ssh-add`.
> > 
> > Note that, even if you do the above, the protection the fingerprint
> > provides to your private key material is only as strong as your OS'
> > security. If an attacker is able to elevate privilege then they
> > could steal the key material from the agent without your fingerprint.
> 
> Isn't this true for any kind of privilege escalation when the agent is
> in place?

Yes, it's true any time the key material is held in the agent as
opposed to in a separate device. I was trying to point out that the
biometrics doesn't really protect the key in the suggested case, only
_use of the key_.

-d


More information about the openssh-unix-dev mailing list