9

I am using PuTTY to access my server via SSH. Due to the complexity of my private key's password, however, I've decided to consider using other methods of authentication, such as biometrics, more specifically fingerprints.

I have looked up how to do such a thing, but it seems that nobody has ever figured out how to do it before. Since I am using Windows 7, there is some integration between the fingerprint scanner's driver and Windows itself (Windows accepts fingerprints as an official method of authentication).

What I would like to do is unlock my laptop's SSH private key by supplying my fingerprint, and the unlocked private key can then be passed on to the server via SSH to log me in (as usual).

The fingerprint program I am using allows me to save passwords for sites, but it is an abandoned program from AuthenTec. It is also the only program that my fingerprint driver (also from AuthenTec) supports.

How can I complete such an undertaking? Or is it simply not worth the effort?

Castaglia
  • 277
  • 4
  • 11
oldmud0
  • 4,234
  • 3
  • 24
  • 43
  • You would have to modify the SSH server and SSH client in order to accomplish this. If your fingerprint device only supports a single program, time to get a new device, considering it is no longer supported.. – Ramhound Apr 22 '16 at 15:06
  • @Ramhound It's integrated into the laptop. No way to simply replace it. – oldmud0 Apr 22 '16 at 15:13
  • I presume the laptop has USB ports. You could replace it if you wanted to. You would first have to find an implementation of SSH that even supports what you want to do. – Ramhound Apr 22 '16 at 15:13
  • 1
    I do not have an external reader and I do not plan to get one. They are very expensive and I do not have money to throw around. Their integration is not any better and are just as likely to become obsolete in five years. Also, I don't want to integrate fingerprint data into the SSH protocol itself. I just want to unlock that RSA/DSA private key with a fingerprint so that I can use it for SSH. – oldmud0 Apr 22 '16 at 15:16
  • What you describe would still require a SSH client that supported doing that. – Ramhound Apr 22 '16 at 15:20
  • Right, or a way to input the password on my swipe. – oldmud0 Apr 22 '16 at 15:21
  • Which would require a modified SSH client. Currently you have no SSH client that can even see the scanner, so until that changes, hard to even begin to implement your idea. – Ramhound Apr 22 '16 at 15:23
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/38741/discussion-between-oldmud0-and-ramhound). – oldmud0 Apr 22 '16 at 15:23
  • 2
    [This post on fingerprints for authentication](http://security.stackexchange.com/q/42185/96204) is relevant, and worth reading/contemplating. – Castaglia Apr 22 '16 at 15:49

1 Answers1

1

This sounds like a really interesting experiment. All the parts are available, although I don't know of anyone who has stitched them together. First of all, I would use the x.509 biometric consortium's approach.

Effectively what you'll be doing is creating a private key which is encrypted using a key generated from your fingerprint; then using that key, once decrypted, as a standard x.509 private key. This means that you won't need to modify OpenSSH so much as provide a custom method of providing the private key to it.

Unfortunately, out of the box, OpenSSH doesn't support x.509 authentication. However Roumen Petrov has fixed that here.

I've done both things independently and they work a charm - I've not tried glueing them together though. I suspect, as you allude, it may not be worth the effort.

Richard Vodden
  • 154
  • 4