On 16/06/2025 13:19, hvjunk wrote:
Look at the ssh-agent providers, they are the ones to implement this behaviour
That might be a reasonable compromise. The key would be held decrypted
in RAM (i.e. you type the passphrase once to get it into the agent), but
the agent has a policy that says it won't allow use of the key unless
you present a fingerprint.
When adding the key to ssh-agent, you'd use the "-c" flag:
-c Indicates that added identities should be subject to
confirmation before being used for authentication. Confirmation is
performed by
ssh-askpass(1). Successful confirmation is signaled by a
zero exit status from ssh-askpass(1), rather than text entered into the
requester.
Therefore the last piece of the puzzle is a version of ssh-askpass with
fingerprint reader check; if you can't find this ready-made, you may be
able to cobble it together.
However, the communication between ssh-agent and ssh-askpass can easily
be spoofed by someone with shell access to your laptop. Therefore, how
useful this is in practice depends on your threat model.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
