Managing SSH keys with Sekey and Touch ID

Created 2022-09-02 ยท Updated 2022-09-02

I have been using Sekey for more than 4 years, I could say the experience is better than using SSH private key with passphrase. Sekey will ask for Touch ID authentication every time I use the private key, it serves great as a second factor when I work with SSH and git. For example: Everytime I push a commit, Sekey will ask for permission. If I run a script that modify my git repository, the Touch ID popup will pop out, the script could not silently modify git repository without my notice.

Sekey will generate and store SSH keys in Secure Enclave and will not expose private key. The public key could be export to transfer to remote host, the Touch ID will be used to authenticate SSH connection instead of private key and passphrase.

When I first used Sekey, I was confused because Sekey didn't let me see my private keys, they were stored in Secure Enclave. But it is a feature, we will not worry of leaking these privated keys.

Installation

https://github.com/sekey/sekey#install

Authenticating 2 Github accounts

The problem with 2 Github accounts is they are using the same username and hostname for SSH connection. We need a way to distinguish between accounts.

We will use git config to make the hostname of those accounts look different. Then we will config SSH sending identity to remote host.

Export public keys for SSH config

sekey --export-key <key-id-1> > ~/.ssh/key_1.pub
sekey --export-key <key-id-2> > ~/.ssh/key_2.pub

$HOME/.gitconfig

[url "[email protected]:account-1/"]
    insteadOf = [email protected]:account-1/

[url "[email protected]:account-2/"]
    insteadOf = [email protected]:account-2/

$HOME/.ssh/config

Host github.com-account-1
    HostName github.com
    IdentityFile ~/.ssh/key_1.pub
    IdentitiesOnly yes

Host github.com-account-2
    HostName github.com
    IdentityFile ~/.ssh/key_2.pub
    IdentitiesOnly yes

Too many failed attempts

When I was using Macbook Pro 2017, the Touch ID was not so accurate, I got many failed scans because my fingers was getting wet. In such case, the Touch ID may locked. I need to lock the computer and use password or Touch ID to unlock, the Touch ID will happily work again with Sekey.