OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)

Damien Miller djm at
Mon Jul 20 09:27:16 AEST 2020

On Sun, 19 Jul 2020, Domenico Andreoli wrote:

> On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> > On Fri, 10 Jul 2020, Frank Sharkey wrote:
> > 
> > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > > works. However, it does not do PIN enforcement at SSH login.  It only
> > > requests the PIN during the set-up process (when the key is being
> > > generated). Is that the way it's supposed to work?
> > 
> > Assuming you are using this device as a FIDO token (and not PKCS#11),
> > this is expected. OpenSSH doesn't yet support requiring PINs for keys
> > except for a couple of corner cases (e.g. resident keys).
> > 
> > I hope to add this before OpenSSH 8.4.
> Somewhat related: touching the FIDO key to authorize the operation.
> The user is prompted to touch the FIDO key when generating an ssh key
> but later on (eg. ssh-add -T ...) this does not happen any more.
> I guess it's due to the agent server not having any means to call back
> the client for notifying that user action is required [0].

ssh-agent will prompt via $SSH_ASKPASS if you have it configured.


More information about the openssh-unix-dev mailing list