[Bug 3938] FIDO2 verify-required keys fail to sign on non-biometric tokens ("option uv is unknown")
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Mar 27 10:18:59 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3938
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
> SSH signing with ED25519-SK keys created with `-O verify-required`
> fails on non-biometric FIDO2 tokens (e.g. YubiKey 5 series).
I just tested this with a Yubikey 5 (non-biometric) and a Feitian key
running OpenSK and was able to create a verify-required key and use it
with PIN.
$ ssh-keygen -t ecdsa-sk -O verify-required -N '' -f /tmp/k
$ env SSH_AUTH_SOCK= ./ssh -Snone -i /tmp/k testvm
Confirm user presence for key ECDSA-SK
SHA256:wuelukze4wvcxjt7UfPytoEvzO2H7AAiww0IB059jrw
Enter PIN for ECDSA-SK key /tmp/k:
Confirm user presence for key ECDSA-SK
SHA256:wuelukze4wvcxjt7UfPytoEvzO2H7AAiww0IB059jrw
User presence confirmed
Last login: Fri Mar 27 10:14:04 2026 from 10.200.200.8
Please attach a full debug log from ssh, maybe that will help figure
out what is actually happening here.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list