?On 2025-06-16 20:57, Brian Candler wrote:> What kind of laptop? I believe this works out-of-the-box using macOS > keychain, but I don't know about Linux / *BSD / Windows.I'm using a Framework 13 laptop with Fedora Linux. For example, when I run a command as sudo, it prompts me for the fingerprint, and this works well. The sudo fingerprint auth is through PAM AFAIK.> A fingerprint is never used as an encryption key. ... The private key > is stored in a secure enclave, and the secure enclave permits crypto > operations using that key when the appropriate fingerprint or PIN is > presented to it. Hence there's quite a lot of integration required.I see, makes sense. I guess OpenSSH doesn't have this integration on Linux?> For a self-contained solution which is platform-agnostic look at > Yubikey Bio. The readily-available FIDO version should work with SSH > using U2F keys (ecdsa_sk).The Yubikey looks alright, but I would like to use the built-in fingerprint reader. I tried to? create a key with ssh-keygen -t ecdsa-sk but that just says "Key enrollment failed: device not found".
> On 16 Jun 2025, at 14:13, M?rton Gunyh? <marci at gunyho.com> wrote: > >> A fingerprint is never used as an encryption key. ... The private key is stored in a secure enclave, and the secure enclave permits crypto operations using that key when the appropriate fingerprint or PIN is presented to it. Hence there's quite a lot of integration required. > I see, makes sense. I guess OpenSSH doesn't have this integration on Linux?Look at the ssh-agent providers, they are the ones to implement this behaviour
On 16/06/2025 13:13, M?rton Gunyh? wrote:>> A fingerprint is never used as an encryption key. ... The private key >> is stored in a secure enclave, and the secure enclave permits crypto >> operations using that key when the appropriate fingerprint or PIN is >> presented to it. Hence there's quite a lot of integration required. > I see, makes sense. I guess OpenSSH doesn't have this integration on > Linux?A quick search suggests that you can use OpenSSH with the private key protected by the TPM, e.g. https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH https://incenp.org/notes/2020/tpm-based-ssh-key.html But I don't know if it's possible to enrol the fingerprint reader to the TPM, such that a fingerprint could be used to unlock the TPM.> >> For a self-contained solution which is platform-agnostic look at >> Yubikey Bio. The readily-available FIDO version should work with SSH >> using U2F keys (ecdsa_sk). > > The Yubikey looks alright, but I would like to use the built-in > fingerprint reader. I tried to? create a key with ssh-keygen -t > ecdsa-sk but that just says "Key enrollment failed: device not found".Correct, you need the U2F key connected at the time of creating the key.? Each U2F device has a built-in key, which it uses to wrap the keying material to form the "key handle".? In this way, a U2F device can work with an unlimited number of key pairs, because it doesn't actually store the private key anywhere, but they are all specific to that particular device. https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html
Hi On giu 16 2025, at 2:13 pm, M?rton Gunyh? <marci at gunyho.com> wrote:> ?On 2025-06-16 20:57, Brian Candler wrote: >> What kind of laptop? I believe this works out-of-the-box using macOS >> keychain, but I don't know about Linux / *BSD / Windows. > > I'm using a Framework 13 laptop with Fedora Linux. For example, when I > run a command as sudo, it prompts me for the fingerprint, and this > works > well. The sudo fingerprint auth is through PAM AFAIK.Speaking here with the fingerprint stack maintainer hat here, and indeed all this only goes through PAM. The problem is that fprintd nor any other fingerprint-related daemon has ever implemented support to protect a key that can be used to decrypt other keys, such as SSH keys or keyring ones. The reason for that is due to the fact that we just ended up having security through obscurity, rather than having a secure framework that we could refer to to unlock system-related credentials. TPM changes a bit this and systemd tools too, and we were actually discussing this recently (again) for other reasons, but they would apply to this situation too [1]. In the short run I feel one thing we may do is to make ssh-agent to only use fprintd (it needs to go through fprintd DBus APIs, PAM or `fprintd-verify`) every time the agent requires to provide the key, so to enforce the security, but not to make it unlock the secret when you use `ssh-add`. Cheers [1] https://gitlab.gnome.org/Teams/Design/os-mockups/-/issues/220#note_2469252