Can Touch ID unlock a personal SSH key?

Question

Is it possible to use the Touch ID fingerprint reader to unlock my SSH key?

I have a MacBook Pro with Touch Bar, and I have a traditional text passphrase for my SSH key right now.

I have noticed that I don't get a system dialog asking for my passphrase on 10.12, so this probably isn't a thing, but if I could do it, it would be AMAZING.

Answer 1

Update:

One option is add your private SSH key to macOS Keychain, then use TouchID for Keychain authentication. You will want to use ssh-add -K ~/.ssh/[your-private-key] -- however on macOS 10.12 Sierra the feature needs to be enabled by editing editing ~/.ssh/config and adding:

Host * (asterisk for all hosts or add specific host)
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile <key> (e.g. ~/.ssh/userKey)

For details, read:

1. Permanently add your private key to Keychain so it is automatically available to SSH
2. Saving SSH keys in macOS Sierra keychain

Original:

At present TouchID unlocking of an SSH key is not available for macOS.

1. The sudo-touchid Xcode project demonstrates how to build a command line application that is TouchID enabled and fails over to a passcode dialog. It runs on the 2016 MacBook Pro with Touch Bar. However, it is for sudo, not ssh. This indicates that the idea is technically feasible.
2. The Prompt 2 SSH client has TouchID support -- for iOS, not macOS. This indicates that comparable applications might become available from commercial developers.
3. One developer online started an ssh touchid wrapper project a few months ago -- although it is an empty project stub. This indicates that others may be asking a similar question to yours.

Answer 2

There are multiple options that will generate and store your private key in the Secure Enclave. Access to the keys can be gated either via Touch ID and/or a tap on an Apple Watch.

• Secretive
• Secure Agent
• Sekey

Answer 3

This is somewhat tangential to my original question, but I have recently been using and very much like Krypton, which gives me something a lot like TouchID unlocking. This solution stores the SSH key on my phone's secure enclave, and my computer and phone negotiate via bluetooth when I go to use the key. I get a confirmation popup on the phone and respond after unlocking that.

So! I get to do something that works similarly, but is (I think) a bit more secure than storing the key on my laptop (even with a passphrase), pretty definitely better than leaving it decrypted in my Keychain, and very usable to boot.

It also works as a U2F second factor for web services, using a browser plugin.

Answer 4

On macOS you can use the 1Password SSH/Git agent to unlock your key with TouchID:

For more info: https://developer.1password.com/docs/ssh/agent/#:~:text=The%201Password%20SSH%20agent%20uses,even%20leaves%20the%201Password%20app.

Answer 5

You could easily write an wrapper to translate touchid calls into ssh and back again. Even further translate a ~ possible match into a range sequence (think close but incomplete painting) - no magic there. I used the camera for that before when touchid seemed like a tricorder feature from star trek :-)

Try making such App yourself, a good motivation to learn Swift! Apple has good doc's around all of their SDK's so after initial pain of Xcode you can do it in few days.

Seems like a good idea to use the feat. even when everybody will tell you of gazillions possible security risks that are, well, possible (like a lot of other things). You will need a dev account though (99$/year...), since self-signed apps cant access all macOS SDKs functionalities, touchID is (possibly) not accessible without signing.