Can Touch ID unlock a personal SSH key?

ssh unix touch-id

Is it possible to use the Touch ID fingerprint reader to unlock my SSH key?

I have a MacBook Pro with Touch Bar, and I have a traditional text passphrase for my SSH key right now.

I have noticed that I don't get a system dialog asking for my passphrase on 10.12, so this probably isn't a thing, but if I could do it, it would be AMAZING.


Solution 1:

Update:

One option is add your private SSH key to macOS Keychain, then use TouchID for Keychain authentication. You will want to use ssh-add -K ~/.ssh/[your-private-key] -- however on macOS 10.12 Sierra the feature needs to be enabled by editing editing ~/.ssh/config and adding:

Host * (asterisk for all hosts or add specific host)
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile <key> (e.g. ~/.ssh/userKey)

For details, read:

  1. Permanently add your private key to Keychain so it is automatically available to SSH
  2. Saving SSH keys in macOS Sierra keychain

Original:

At present TouchID unlocking of an SSH key is not available for macOS.

  1. The sudo-touchid Xcode project demonstrates how to build a command line application that is TouchID enabled and fails over to a passcode dialog. It runs on the 2016 MacBook Pro with Touch Bar. However, it is for sudo, not ssh. This indicates that the idea is technically feasible.
  2. The Prompt 2 SSH client has TouchID support -- for iOS, not macOS. This indicates that comparable applications might become available from commercial developers.
  3. One developer online started an ssh touchid wrapper project a few months ago -- although it is an empty project stub. This indicates that others may be asking a similar question to yours.

Solution 2:

There are multiple options that will generate and store your private key in the Secure Enclave. Access to the keys can be gated either via Touch ID and/or a tap on an Apple Watch.

  • Secretive
  • Secure Agent
  • Sekey

Solution 3:

This is somewhat tangential to my original question, but I have recently been using and very much like Krypton, which gives me something a lot like TouchID unlocking. This solution stores the SSH key on my phone's secure enclave, and my computer and phone negotiate via bluetooth when I go to use the key. I get a confirmation popup on the phone and respond after unlocking that.

So! I get to do something that works similarly, but is (I think) a bit more secure than storing the key on my laptop (even with a passphrase), pretty definitely better than leaving it decrypted in my Keychain, and very usable to boot.

It also works as a U2F second factor for web services, using a browser plugin.

Related

Concisely starting Mac OS apps from the command line
Is it possible to run Nautilus on OS X?
How can I disable the "no backup in x days" from TimeMachine?
Does a force restart in iOS do anything different from a normal restart?
How to auto-accept cookies notifications as mandated by EU law?
How to know whether Mac has SSD or HDD installed
No input field for Apple ID Verification Code
Dismiss MacOS Big Sur notifications with keyboard
Can't write to /usr/lib
How can I stop Parallels Desktop from listing Apps from a VM available in Spotlight?
Arrange by exact file type (not just by kind) in OS X Lion
How to move window to different desktop via keyboard in Lion?