Open linuxtim opened 8 years ago
aeolwyr/tergent in termux allows using the Android keystore to store the private keys. It also allows the use of authenticating access via the fingerprint reader or other enabled methods of unlocking (facial recognition and ??)
Yes, I've used aeolwyr/tergent and termux with great success... (although Termux on the latest Android versions has/had some issues... haven't checked to see if they're resolved)
That said, the KeyStore API does provide a smart-card like interface and smart-card like storage (if supported by the hardware). Specifically, the ability to generate new private keys directly in hardware and protections to prevent the private keys from ever being retrieved.
Quick aside: The real beauty of smart cards (PIV cards) or Hardware key storage is the ability to generate the key directly inside of a secure area... (If you're creating a private key anywhere else --in a file, in memory -- and then importing it to a PIV card or otherwise, you're doing it wrong.) The security comes from the key being secure... For example, with a PIV smart card or other hardware key storage, you should never be able to retrieve the private key itself. Instead, you simply send the data that you need to sign to the card, the card performs all the cryptography (i.e. signing operation w/the private key) on the card and returns the result.
Specifically, have a look at the "KeystoreAPI" of termux/termux-api for an example implementation - tergent actually uses this API for its operations.
That said, implementing this for connectbot is not impossible but requires a bit of work:
I'm not an SSH expert by any means - but I believe the authentication flow would be essentially similar to using SSH with certificates/smart cards.
Unless I'm mistaken (which is very possible), it looks like it would be possible to securely store SSH private keys using Android's "KeyStore" API, and this would seem to add some additional protection against theft of these private keys (especially from devices which have hardware assisted secure key store support). I can't see any support for this in ConnectBot currently.
Would there be any reasons not to support this (assuming it could be made suitably conditional on API availability of the particular OS version it was running on)?