Secretive has to function as both a key generation utility and an SSH agent because of a restriction in Apple's Secure Enclave functionality - only the app that generates a key is allowed to use it. There's actually a workaround for this, which is to use <a href="https://developer.apple.com/documentation/cryptotokenkit" rel="nofollow">https://developer.apple.com/documentation/cryptotokenkit</a> to expose keys to the user keychain, which then means the tool used for key generation doesn't have to be the same tool that allows applications to make use of that key. We're using this internally to generate keys that are then combined with user creds to receive x.509 and ssh certificates, and exposing the ssh certs to ssh using the SSH agent protocol. Our next step is to take that a step further and use <a href="https://developer.apple.com/documentation/devicecheck/accessing_and_modifying_per-device_data" rel="nofollow">https://developer.apple.com/documentation/devicecheck/access...</a> to verify that the device asking for a cert is a device that we own (IT will be able to set one of those bits during device provisioning, and then we query that data during certificate issuance to show that the request comes from something we provisioned)
I've always been afraid to invest in something like a yubikey or even to use the TPM on any devices I own. I don't ever want to depend on "something I have" that can't be backed up or recovered in any way.<p>As an example, when I started using a password manager last year, I also made sure to start hosting the (encrypted) passwords database publicly (on a web server) so that if I ever lose it for any reason (SSD fails, etc) I'll be able to download it back onto a computer and unlock it with my master password.<p>If I ever lose my passwords database I'll also lose access to every internet account I've ever made. It would be far too risky to make it rely on any physical possession of mine.<p>Some people (most people??) would feel safe knowing that it's impossible for anyone to get into their accounts without their yubikey, but I'd just always be afraid of losing the yubikey.
Related:<p><i>Secretive: An app for storing and managing SSH keys in the Secure Enclave</i> - <a href="https://news.ycombinator.com/item?id=28853329" rel="nofollow">https://news.ycombinator.com/item?id=28853329</a> - Oct 2021 (11 comments)<p><i>Secretive – macOS native app to store SSH keys in the Secure Enclave</i> - <a href="https://news.ycombinator.com/item?id=23664129" rel="nofollow">https://news.ycombinator.com/item?id=23664129</a> - June 2020 (106 comments)
I wish Apple would add more native support for this somehow. Until then, I’ve enjoyed using 1Pass for SSH key which continently allows me to share keys across machines, work confidently knowing my key isn’t accessible if a machine is lost, and asks me for Touch ID permission
I was considering this but ultimately opted for 1Password’s SSH Agent instead and storing my SSH keys there and unlocking it with Touch ID: <a href="https://developer.1password.com/docs/ssh/agent/" rel="nofollow">https://developer.1password.com/docs/ssh/agent/</a><p>Also use it to sign my git commits: <a href="https://developer.1password.com/docs/ssh/git-commit-signing" rel="nofollow">https://developer.1password.com/docs/ssh/git-commit-signing</a>
NB: If you use this, make sure to backup the key somehow. About a year ago I tested this with a few servers and lost all of the keys when my Mac had a kernel panic that wiped the state of the Secure Enclave! Updates can do this too!
What I kinda want is a way to use a detachable hardware key like a Yubikey as a primary factor for SSH and login authentication. I have multiple computers and I provision new OSes frequently and I always find it irritating depending on either network or flash drive synchronization for secret material when I could just be plugging in a smartcard device.<p>Anyone gone down this path?
Looked at it at some point with hope that it'd provide easier user experience to use SSH with Yubikey PIV functionality on Mac. Unfortunately it doesn't support RSA keys we have to use for various reasons.<p><a href="https://github.com/maxgoedjen/secretive/issues/10">https://github.com/maxgoedjen/secretive/issues/10</a>
How I'm setting up SSH access currently is to use two factor authentication where one of the factors is a device identifier, i.e. SSH key stored in TPM or with this on the Secure Enclave on a Mac, allowing only access from trusted devices. The second is a user identifier, stored in a yubikey.<p>In sshd_config, you can enable multifactor authentication with a comma separated list after AuthenticationMethods, for example publickey, publickey to require two keys.<p><a href="https://manpages.debian.org/bullseye/openssh-server/sshd_config.5.en.html#AuthenticationMethods" rel="nofollow">https://manpages.debian.org/bullseye/openssh-server/sshd_con...</a>
Wow, this is really exciting! I have wished something like this existed, I'll have to try it out. I would love to use touchID to protect my ssh keys instead of a password!
This is excellent.<p>A different way of enhancing the security of a private key is to use a passphrase and store the passphrase in the macOS Keychain. Then, configure ssh-agent to always use the Keychain. When you login to your Mac user account, it will unlock it for use with ssh.<p>The encryption key needed to decrypt the Keychain is stored inside the Secure Enclave.<p>If someone manages obtain your private key, they would also need guess your passphrase or gain access to the Secure Enclave.
Doesn't Secure Enclave offer a smartcard-like interface on macOS?<p>SSH already supports using hardware-backed keys via smartcard interfaces, so such an interface would allow it to work without any extra moving parts.<p>I keep seeing lots of new programs that are basically "Secure Enclave for X", where X already supports hardware-based keys via existing interfaces.
I’ll definitely give this a spin!<p>My go to right now is using a gpg key with ssh subkey. The key is actually on YubiKey. Similar security properties but portable.
Secretive is one of my favorite tools on mac os. it's the best ssh workflow i've used: key material never leaves the device, can auth with touch id, and forward the agent as necessary. i've also sent him $ on github as a small thank you for a tool i use daily (and i'd encourage you to, too!)
there was a cool app called krypt that did this for ios, with push notifications to your phone when you ssh'd, where requests were authenticated against your secure enclave. then it got bought by akamai and turned into some b2b saas crap.
Unfortunately the SEP only supports ECDSA keys. <a href="https://blog.cr.yp.to/20140323-ecdsa.html" rel="nofollow">https://blog.cr.yp.to/20140323-ecdsa.html</a>