Require presence, with touch?

[vorburger]

I was wondering if it may be possible to have it require proving consent by presence detection with touching... something? Like a Yubikey does. Except of course there is no external key - so.. if you're on a laptop with a fingerprint sensor, and already have pam_u2f for sudo - could it somehow leverage that? Or require tapping some key - perhaps a special system key like CapsLock? Or something like detect a "double tap" on Shift?

Just a wild thought. Feel free to close if this not feasible.

[Foxboron]

I mean, it could be done in theory by doing more stuff inside ssh-tpm-agent, but it would not actually matter for the keyfile security.

You could just write another program to load the keyfile and ignore the user presence. The fingerprint reader in Linux userspace is also not really secure, we don't know if we are getting a replay of the fingerprint from userspace or communicating with an actual fingerprint device.

There are some policy setup in the TPM to interact with a fingerprint sensor, but I have not seen anyone actually use this.

I'll leave this open incase others have a better idea on how to solve this. But I don't quite see a good way unless we include a lot more complexity into ssh-tpm-agent.

[Mic92]

I added this feature to my frontend askpass: https://github.com/Mic92/noctalia-plugins/tree/main/ssh-askpass
It depends on #114 so that ssh-tpm-agent asks for confirmation on use. It's not as secure as what secretive can do with the macOS SecureEnclave but it maybe prevent some accidents. Feel to replicate this frontend into your own desktop.

[Foxboron]

@Mic92 I have on my todo to figure out if I can bundle some GUI askpass into this project to bridge the gap. The noctalia stuff looks cool though.

[Mic92]

@Foxboron than you might be also interested in #123

[vorburger]

#114 is actually exactly close enough to what I was looking for!! I'm now using this.

This is 🍀 awesome. I 💌 love open source. I'll sponsor you on GitHub.

@Foxboron shall we close this?