Secure Input -- use touchid to authenticate/authorize use of a key (ex: IdentityAgent for ssh)

[rhettjay]

Is there any appetite for opting to use the secure input module for authentication via touch-id, then auto-populate the entry?

I instinctively reach for my touch-id anytime the secure entry bubble pops up, so I thought I would pose the question here(however dumb it may seem). Is it worthwhile to investigate incorporating touch-id to authenticate. I'm imagining something like an IdentityAgent for SSH. For example: 1Password describes this functionality in their ssh-agent documentation. I've not tried their particular implementation, but using touch-id to authenticate/authorize is the basic instinct.

[rhettjay]

I found a better example:
pinentry-touchid

"...allows using Touch ID for fetching the password from the macOS keychain."

I'll admit I haven't combed through the above code in detail, but I'm envisioning something similar just more native. Given that Ghostty uses the native APIs, I'm curious if this functionality has been considered.

[pluiedev]

I personally think this is a bit out of scope for a terminal emulator (and is much better suited for a dedicated password manager like 1Password) but if the API is not too complex we might be able to add it.

[rhettjay]

You're probably right. I have just yet to find an open source tool that is reasonably enough maintained and provides the functionality. 1Password for instance does not open source the developer tools (justifiably so).

[mitchellh]

What I understand that you're asking for isn't a terminal emulator responsibility, it's a shell or lower (probably lower). Just to check I'm not misunderstanding, how did you expect this to work exactly?

[rhettjay]

I think you're probably accurately understanding the context. My expectation would be that Ghostty (upon triggering the secure input module), would only need my fingerprint to then populate the passphrase the program is requesting.

Take elevating a local user to sudo as an example. If I were to execute sudo su - in a new tty session, sudo will require entering of my password. I'm wondering if instead of typing my password if Ghostty could override the functionality by hooking into a password manager or better yet treating my fingerprint as an acceptable form of authentication so ssh could be passwordless. Given that Ghostty triggers the secure input module, I was curious if you or anyone else is aware if this functionality is possible from the terminal emulator perspective, and (if possible) worth including on the roadmap.

Another example would be the signing of git commits. If I sign a git commit (git -S) I will have to utilize a secret (either ssh, gpg, or x.509) to produce the signature. It would be cool/more secure (at least in my mind) to verify this with a second factor (something I am--e.g. fingerprint, or something I have--e.g. yubikey, instead of something I know).

[brandonkal]

Just use https://github.com/maxgoedjen/secretive (macOS)