Prefer Non Biometric Keys when Mac Laptop in Clamshell State

[conallob]

I have a Macbook Pro M2 with a nano USB-C Yubikey, which gets used as both a portable laptop and plugged into a docking station at my desk setup.

When using it in portable laptop mode, Touch ID authentication for SSH is wonderful. However, when in clamshell mode, connected to my docking station, I am prompted for the system password in order to use the SSH key in the secure enclave.

Could Secretive prefer SSH keys outside of the Secure Enclave when the system is in "Clamshell State"?

ioreg -r -k AppleClamshellState -d 4 | grep AppleClamshellState | head -1 appears to be a long established way to detect if a Mac is in Clamshell State or not.

[martinpaljak]

While this feels convenient from UX perspective, it also feels like a variant of a "downgrade attack". It assumes that you have both type of keys configured for those remote accounts, and the idea of only using keys that convey hardware-assisted user consent for use OR any other key, to me at least feels like misconfiguration of the remote host account for the purpose of using Secretive in the first place..

Assuming you have two keys configured on secretive, called "always-confirm" and "always-allow", you can explicitly configure for accounts or aliases to use the key of your choice, something along the lines of the following in your ~/.ssh/config

Host dontask
    HostName example.com 
    IdentityFile /Users/$USER/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/<always-allow>.pub
    IdentitiesOnly yes