> On 5. Jul 2025, at 17:42, James Bottomley via openssh-unix-dev <openssh-unix-dev@xxxxxxxxxxx> wrote: > > On Sat, 2025-07-05 at 10:55 +0200, Anton Khirnov wrote: >> Quoting Brian Candler (2025-07-05 09:39:13) >>> On 05/07/2025 06:52, Anton Khirnov wrote: >>>> - I have to enter the PIN on every use, which is highly >>>> inconvenient and >>>> increases the likelihood the entry will be observed (e.g. in a >>>> public environment with cameras) >>>> - the key is in the agent and PIN is not required, then any >>>> program that can access the agent can silently SSH all it wants >>> >>> If the private key is actually in the agent, then you can flag that >>> key to require confirmation on each use. With a normal key, it >>> would be "ssh-add -c". That normally just means clicking "OK"; you >>> don't have to enter a PIN. >> >> Thank you, that seems to be exactly what I was looking for. > > The ssh community has rejected many approaches to TPM based keys, so > the easiest way to use them is to use gpg-agent (for any 2.4 and up > version of gpg) as the ssh agent backend and then simply use the gpg > keytotpm command on keys you want to become only TPM accessible. Respectfully disagree. You're free to run any ssh-agent, and it makes various hardware elements play along pretty decently (like secretive for mac). For TPM2, see here: https://github.com/Foxboron/ssh-tpm-agent Also have a look here: https://fosdem.org/2025/schedule/event/fosdem-2025-5544-hardware-backed-ssh-keys-ssh-tpm-agent/ I'd only recommend going down the GPG path if you're already established and invested in the GPG infrastructure/setup, but never for beginners. Cheers, Martin _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
