On 2025-06-16 20:57, Brian Candler wrote:
What kind of laptop? I believe this works out-of-the-box using macOS keychain, but I don't know about Linux / *BSD / Windows.
I'm using a Framework 13 laptop with Fedora Linux. For example, when I run a command as sudo, it prompts me for the fingerprint, and this works well. The sudo fingerprint auth is through PAM AFAIK.
A fingerprint is never used as an encryption key. ... The private key is stored in a secure enclave, and the secure enclave permits crypto operations using that key when the appropriate fingerprint or PIN is presented to it. Hence there's quite a lot of integration required.
I see, makes sense. I guess OpenSSH doesn't have this integration on Linux?
For a self-contained solution which is platform-agnostic look at Yubikey Bio. The readily-available FIDO version should work with SSH using U2F keys (ecdsa_sk).
The Yubikey looks alright, but I would like to use the built-in fingerprint reader. I tried to create a key with ssh-keygen -t ecdsa-sk but that just says "Key enrollment failed: device not found".
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
