Hello, This is probably a very naive question, but I am trying to figure out if I would be able to unlock my private key using my laptop's fingerprint reader instead of typing in the passphrase. I searched around quite a bit, but only found these stack overflow questions with no answers: https://serverfault.com/questions/1122450 https://unix.stackexchange.com/questions/705144 I thought that this could be somehow done through PAM, because it integrates fingerprint authentication, but it seems like the decryption of the private key is handled by OpenSSH itself, without PAM. All references to PAM in the OpenSSH source were in relation to sshd, and not the client. Am I asking for nonsense? Is it even possible to use a fingerprint as an encryption key, or is it only suitable for matching against a stored value (which I guess what PAM is doing)? Best regards, M?rton Gunyh?
On 16/06/2025 12:32, M?rton Gunyh? wrote:> This is probably a very naive question, but I am trying to figure out > if I would be able to unlock my private key using my laptop's > fingerprint reader instead of typing in the passphrase.What kind of laptop? I believe this works out-of-the-box using macOS keychain, but I don't know about Linux / *BSD / Windows.> Am I asking for nonsense? Is it even possible to use a fingerprint as > an encryption key, or is it only suitable for matching against a > stored value (which I guess what PAM is doing)?A fingerprint is never used as an encryption key. For these sorts of applications (such as passkeys on your phone), the private key is stored in a secure enclave, and the secure enclave permits crypto operations using that key when the appropriate fingerprint or PIN is presented to it. Hence there's quite a lot of integration required. For a self-contained solution which is platform-agnostic look at Yubikey Bio. The readily-available FIDO version should work with SSH using U2F keys (ecdsa_sk). There's supposed to be a smartcard version too, but I don't see it for sale on the store.
BitWarden seems to punt a SSH agent, and you can (where hardware supports it) unlock Bitwarden vault with biometrics I?m using the biometric unlocking of Bitwardne on my iMac and MBP with the touchid key, but haven?t yet used the ssh agent of bitwarden> On 16 Jun 2025, at 13:32, M?rton Gunyh? <marci at gunyho.com> wrote: > > Hello, > > > This is probably a very naive question, but I am trying to figure out if I would be able to unlock my private key using my laptop's fingerprint reader instead of typing in the passphrase. I searched around quite a bit, but only found these stack overflow questions with no answers: https://serverfault.com/questions/1122450 https://unix.stackexchange.com/questions/705144 > > > I thought that this could be somehow done through PAM, because it integrates fingerprint authentication, but it seems like the decryption of the private key is handled by OpenSSH itself, without PAM. All references to PAM in the OpenSSH source were in relation to sshd, and not the client. > > > Am I asking for nonsense? Is it even possible to use a fingerprint as an encryption key, or is it only suitable for matching against a stored value (which I guess what PAM is doing)? > > > Best regards, > > M?rton Gunyh? > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev