On 16/06/2025 12:32, Márton Gunyhó wrote:
This is probably a very naive question, but I am trying to figure out if I would be able to unlock my private key using my laptop's fingerprint reader instead of typing in the passphrase.
What kind of laptop? I believe this works out-of-the-box using macOS keychain, but I don't know about Linux / *BSD / Windows.
Am I asking for nonsense? Is it even possible to use a fingerprint as an encryption key, or is it only suitable for matching against a stored value (which I guess what PAM is doing)?
A fingerprint is never used as an encryption key. For these sorts of applications (such as passkeys on your phone), the private key is stored in a secure enclave, and the secure enclave permits crypto operations using that key when the appropriate fingerprint or PIN is presented to it. Hence there's quite a lot of integration required.
For a self-contained solution which is platform-agnostic look at Yubikey Bio. The readily-available FIDO version should work with SSH using U2F keys (ecdsa_sk). There's supposed to be a smartcard version too, but I don't see it for sale on the store.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
