I'm a big fan of tools like secretive[1] that can help solve this problem by using biometrics to shift the UX/security trade-off and thus make it feasible to always require some kind of authentication to sign a token with a key.
I'm not aware of any tools that do the same for Linux, and a quick Google search doesn't turn up much[2]. It does look like you can at least get a notification[3], though.
This could provide another layer of protection on the user's endpoint device in addition the network monitoring called out in the article. Defense in depth, and all that.
[1] https://github.com/maxgoedjen/secretive
[2] https://unix.stackexchange.com/questions/705144/unlock-an-ss...
[3] https://www.insecure.ws/2013/09/25/ssh-agent-notification.ht...
> Secretive is an app for storing and managing SSH keys in the Secure Enclave
I absolutely love this about Linux. However, I think this freedom of choice leads to difficulty of use in the enterprise.
> I'm not sure what you mean by unified desktop experience as well, can you clarify specifically what that means to you?
So one example that comes to mind for me as I am a security engineer is desktop-specific security software (and let me again emphasize I am talking about desktop). For example, on MacOS you have a myriad of effective desktop security tools that predictably work on the platform once it is released. Patrick Wardle's open source Objective See tooling[1] is the best example I can think of, Little Snitch[2] is another one that comes to mind.
As a thought exercise imagine you were to implement a Linux alternative to KnockKnock[3], which enumerates what applications will run at startup to help identify persistently installed malware. How would you do this on Linux? Monitor ~/.config/autostart, crontab, systemd? What if they have a non-systemd system, what if they are using i3 and starting applications in their i3 config, if you want notifications what notification daemon/client do you implement? The list goes on and on as there are a million different variables.
Another example I don't think can exist on Linux is an alternative to one of my favorite MacOS apps named Secretive[4], which allows you to store secure non-retrievable SSH keys in the Mac's secure enclave. Apple has a bit of an unfair advantage as they control the hardware and software that allows users to access the secure enclave -- but on Linux we don't really even have a uniform way to store credentials on the software side that a security vendor could reliably count on: we can use gnome-keyring, KDE's competitor, pass, gnupg, etc.
I am not saying these problems are insurmountable, but I think that if a security vendor were to target desktop Linux in addition to Windows and MacOS they would almost HAVE TO limit the scope to something like a default Ubuntu desktop LTS running GNOME as the DE (or something similar) so they could reliably reproduce results.
And I am not saying that this means desktop Linux shouldn't be used for work -- I exclusively work from my NixOS machine for my day job. But I have compassion for the IT org or product vendor who can't support desktop Linux in the enterprise -- Linux is kind of the wild, wild west on the desktop.
I hope one day we see a large-scale standard adopted by enterprise (i.e. Ubuntu LTS as the distro, GNOME as the DE, etc.) for desktop Linux just so it was more reasonable of an option in the enterprise. And to be clear, I don't mean that I hope choices for Linux go away, I love the amount of choice you have on Linux. But it can be a great weakness if you want standardized desktop builds.
[1] https://objective-see.org/tools.html
[2] https://www.obdev.at/products/littlesnitch/index.html
https://github.com/maxgoedjen/secretive
I've been looking for something like this for 3-4 years but only found it six months ago (in an HN thread). I use separate keys for every use case, and now know every time a key is used for any purpose, whether it's connecting to source control or my text editor is connecting to a remote VM.
Only thing I haven't figured out is how to do git signatures with these sorts of keys, but I haven't debugged it at all.
It can also use Smart Cards (Yubikeys are called out by name in the readme).
A forwarded agent will have the same level of security, meaning that if the forwarded agent needs to use a key in Secretive, it will have to be authorised locally - and even if TouchID is disabled, you are notified if a key is used.
I use it along with Secretive[0] to keep GitHub SSH keys in my MacBook’s Secure Enclave and add a biometric prompt whenever pushing or pulling. All together it’s extremely smooth and unfussy.
Like the acquired/abandoned https://github.com/kryptco/kr [key stored in a [...] mobile app] with iOS and Android apps all under an "All Rights Reserved"-source license?
Also, newer Macs have a Secure Enclave (supports 256-bit secp256r1 ECC keys):
https://github.com/maxgoedjen/secretive [storing and managing SSH keys in the Secure Enclave [...] or a Smart Card (such as a YubiKey)]
https://github.com/sekey/sekey [Use Touch ID / Secure Enclave for SSH Authentication!]
It works together very well with Secretive[1] which allows you to keep your SSH key in your Mac’s Secure Enclave and require Touch ID to use them, as well as displaying a notification showing what’s trying to access keys. It can also store keys in hardware dongles (like YubiKeys) and has a nice native UI for managing multiple keys.
[0]: https://git-fork.com/ [1]: https://github.com/maxgoedjen/secretive
I've stopped using 1Password everywhere I can due to their product "focus", and am working my way through a set of alternatives (currently using Secrets on the Mac and looking at the KeePass ecosystem, which keeps improving monthly):
https://taoofmac.com/space/apps/1password
Edit: It's been fun watching this get upvoted and downvoted in successive waves - for those who are curious, I suggest you check previous posts on 1Password and see if you can spot patterns in their advocates, since they were publicly called out on this a few times already (especially on Twitter).
It’s very simple and works very well. Better than krypt.co did for me, actually — krypt.co would occasionally randomly break, but Secretive has been rock solid. Every time something tries to use your key you get a Touch ID prompt and a notification indicating what triggered it.
This 1Password feature looks nice, but I’m switching away when version 7 stops working. AgileBits just isn’t taking 1Password in a direction that’s appealing for me… they’re clearly more interested in corporate users than individuals, and in the pursuit of a one-size-fits-all-platforms UI they’re losing the attention to detail and polish that used to be a major selling point.
https://github.com/maxgoedjen/secretive
Extra nice with the new Apple Magic Keyboard with Touch ID.
Hope because it would allow me to utilize my mac as a Yubikey. I have no idea how they would synchronize it to all Apple devices, but i'm fairly certain they will find a way.
Fear because it will pretty much guarantee i cannot use my password manager on other platforms.
I already use Secretive (https://github.com/maxgoedjen/secretive) to store SSH keys in the secure enclave with touch id integration, and it works really well. I also keep a couple of Yubikeys as backup :)