Ability to support Secure Enclave for Private Keys

[isontheline]

Feature description

I have noticed that it isn't possible to use the faceID to generate the authentication key. It is possible with the competitor's application termius, but only with ecdsa (P256) and not with ed25519. Authenticating using physical keys through FIDO2, finger print on macBooks, or FaceID, is possible through the webauthn API. The web site webauthn.io provides a demonstration. The benefit is that the private key is stored in a secure place and can't be copied. There is also no need for passphrase as the access is controlled by biometric control. You probably already know about it. Just wanted to make sure.

By Christophe via email

Yes I’m aware about the Secure Enclave of Apple devices and I will implement it in future release. I can’t tell you any ETA but I will try to do my best Christophe.

Related to Ability to support 2FA with FIDO2 (e.g. yubikeys) : #697

[tushev]

So basically we need the following in private keys:

• [x] Add via paste
• [x] Import from a file
• [x] Generate and save to a file/exportable storage
• [ ] Generate Secure Enclave/Keychain-based key, backup-enabled (IIRC, it's kSecAttrAccessibleWhenUnlocked)
• [ ] Generate Secure Enclave/Keychain-based key, non-exportable (IIRC, it's kSecAttrAccessibleWhenUnlockedThisDeviceOnly)
• [ ] Add existing FIDO2 key
• [ ] Register new FIDO2 key

Thank you for your wonderful app!

[isontheline]

Thanks a lot for your support Simon @tushev 🙏

About secure enclave : Need to work a lot on the underlying SSH library because the secure enclave doesn't provide the pkey but instead can make only operations on it to proceed the cryptographic verifications.

About FIDO2 keys : don't have found - yet - how to make a communication with these devices as WebSSH is running under Mac Catalyst framework. If you have any docs about them and Mac Catalyst, please share.

[kmanwar89]

Hey there!

I was actually about to raise an issue but it looks like there's already issues for this!

I use an application called Secretive for MacOS that interacts w/ the secure enclave. The private key is never exposed, so you actually can't copy it out of the enclave.

An agent runs, and it exposes the public key (which you can then copy over to whichever server you manage):

You can integrate touchID/apple watch integration (which is set through the secretive app itself) when you actually setup the key:

Then, in the ~/.ssh/config file, you add a line like so, which integrates to the socket that the secretive "agent" is running on, passing the auth into the secure enclave for validation of the private key:

Host *
        IdentityAgent /Users/kadar/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh  

If you can add this feature to WebSSH to support this directive in the ssh config file (which it doesn't seem to do right now), I'd purchase your app immediately :) This is honestly my blocker at the moment, because it's so convenient (and secure) to use TouchID to authenticate each time I ssh into a remote host, and I'd love to see if WebSSH can somehow link into this well-established app.

[isontheline]

@kmanwar89 Thank you so much for considering WebSSH and for your strong feedback about Secretive 🙏

To support Secretive I need to work on #754 and it's not trivial as it could sound

Definitively will make another eye on it because could be great as you said

[kmanwar89]

Thank you so much for responding so quickly! I thought to offer Secretive as a partial solution to at least prevent you from having to figure out the mechanism for interacting with the Secure Enclave. Best of luck and please let me know if you are looking for a beta tester :)