Hi all, I am currently looking into the use of TPM-based keys on my laptop for SSH authentication. One aspect that bugs me is that AFAIU either - I have to enter the PIN on every use, which is highly inconvenient and increases the likelihood the entry will be observed (e.g. in a public environment with cameras) - the key is in the agent and PIN is not required, then any program that can access the agent can silently SSH all it wants I quite like the "presence" functionality in FIDO2 tokens, where I need to press the button on the token in order to use the key, ideally I'd like to set up something analogous with TPM. Other possibilities that come to mind are - re-enter the PIN after N uses; does TPM have a counter that could be used for this? or perhaps ssh-agent? - show a desktop notification on (every Nth?) use I am aware of the ssh-add -t option, which sort of works in this direction, but it is not exactly what I want, since - it is time-based rather than use-based - after a key expires I have to re-add it, which is more hassle than just re-entering the PIN Thoughts and advice on this matter would be highly appreciated. Cheers, -- Anton Khirnov _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
