Our great sponsors
-
openssh-sk-winhello
A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
pam-watchid
PAM plugin module that allows the Apple Watch to be used for authentication (by insidegui)
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Not exactly connected but the same crowd interested in this topic may also be interested in this tool to store SSH private keys in the Secure Enclave, kind of like what can be done with a YubiKey:
https://github.com/maxgoedjen/secretive
I've been looking for something like this for 3-4 years but only found it six months ago (in an HN thread). I use separate keys for every use case, and now know every time a key is used for any purpose, whether it's connecting to source control or my text editor is connecting to a remote VM.
Only thing I haven't figured out is how to do git signatures with these sorts of keys, but I haven't debugged it at all.
For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".
0: https://github.com/tavrez/openssh-sk-winhello
0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."
1: https://github.com/tavrez/openssh-sk-winhello/issues
2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".
0: https://github.com/tavrez/openssh-sk-winhello
0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."
1: https://github.com/tavrez/openssh-sk-winhello/issues
2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
Does watch unlock now work natively with pam_tid? I know as of at least a few months ago it would only work if you could use touch ID, i.e. when the laptop was open. If it was docked, it would fall back to password auth.
I wrote a patcher that changed this behavior, it patched pam_tid directly on your system and just updates the API Apple calls to allow unlocking with watch-only when touch ID is unavailable:
https://github.com/inickt/pam_wtid
Was a fun reverse engineering experience and wrote up some more info in the README.
In the same vein, I recently made a tool to use TouchID and the Secure Enclave to protect arbitrary data and env variables from the commandline: https://github.com/pathtofile/toucli
I'm using this to authorize sudo (and other things) with Apple Watch:
https://github.com/insidegui/pam-watchid
... and my /etc/pam.d/sudo needs to be changed like this:
# sudo: auth account password session
nix-darwin currently does not support that directly, but there is an open PR to fix that. For my dotfiles, I added the module from the PR with some slight modifications. You can find the code below.
https://github.com/shinzui/dotfiles.nix/blob/master/modules/...
Self plug, but here's a PAM module I made for using gpg for login: https://gitlab.com/rendaw/pamgpgr . I've been using it for a couple years for sudo I think (yubikey).
The code is fairly small so it can be an example for doing other PAM things too.