On 16/06/2025 13:13, Márton Gunyhó wrote:
A fingerprint is never used as an encryption key. ... The private key
is stored in a secure enclave, and the secure enclave permits crypto
operations using that key when the appropriate fingerprint or PIN is
presented to it. Hence there's quite a lot of integration required.
I see, makes sense. I guess OpenSSH doesn't have this integration on
Linux?
A quick search suggests that you can use OpenSSH with the private key
protected by the TPM, e.g.
https://wiki.gentoo.org/wiki/Trusted_Platform_Module/SSH
https://incenp.org/notes/2020/tpm-based-ssh-key.html
But I don't know if it's possible to enrol the fingerprint reader to the
TPM, such that a fingerprint could be used to unlock the TPM.
For a self-contained solution which is platform-agnostic look at
Yubikey Bio. The readily-available FIDO version should work with SSH
using U2F keys (ecdsa_sk).
The Yubikey looks alright, but I would like to use the built-in
fingerprint reader. I tried to create a key with ssh-keygen -t
ecdsa-sk but that just says "Key enrollment failed: device not found".
Correct, you need the U2F key connected at the time of creating the
key. Each U2F device has a built-in key, which it uses to wrap the
keying material to form the "key handle". In this way, a U2F device can
work with an unlimited number of key pairs, because it doesn't actually
store the private key anywhere, but they are all specific to that
particular device.
https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
