Hi On giu 16 2025, at 2:13 pm, Márton Gunyhó <marci@xxxxxxxxxx> wrote: > On 2025-06-16 20:57, Brian Candler wrote: >> What kind of laptop? I believe this works out-of-the-box using macOS >> keychain, but I don't know about Linux / *BSD / Windows. > > I'm using a Framework 13 laptop with Fedora Linux. For example, when I > run a command as sudo, it prompts me for the fingerprint, and this > works > well. The sudo fingerprint auth is through PAM AFAIK. Speaking here with the fingerprint stack maintainer hat here, and indeed all this only goes through PAM. The problem is that fprintd nor any other fingerprint-related daemon has ever implemented support to protect a key that can be used to decrypt other keys, such as SSH keys or keyring ones. The reason for that is due to the fact that we just ended up having security through obscurity, rather than having a secure framework that we could refer to to unlock system-related credentials. TPM changes a bit this and systemd tools too, and we were actually discussing this recently (again) for other reasons, but they would apply to this situation too [1]. In the short run I feel one thing we may do is to make ssh-agent to only use fprintd (it needs to go through fprintd DBus APIs, PAM or `fprintd-verify`) every time the agent requires to provide the key, so to enforce the security, but not to make it unlock the secret when you use `ssh-add`. Cheers [1] https://gitlab.gnome.org/Teams/Design/os-mockups/-/issues/220#note_2469252 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
