no-touch-required seems ignored in new and old clients

pedro martelletto pedro at
Wed Apr 14 18:34:50 AEST 2021

>It seems that touch is required with the both old and the new clients
>regardless of whether no-touch-required is in place in authorized_keys
>or not.
>At least that the case when using ed25519-sk keys for authentication
>because when I have a key in place in the server account's
>~/.ssh/authorized_keys like this:
>sk-ssh-ed25519 at AAAAGnNrLXNzaC...NzaDo=
>I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g.
>OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to
>complete the authentication.
>According to the manual page for sshd(8), "no-touch-required" should
>eliminate the need to verify physical presence through touching the
>hardware token.  However if I set a key in place in the server account's
>~/.ssh/authorized_keys like this:
>no-touch-required sk-ssh-ed25519 at AAAAGnNrLXNzaC...NzaDo=
>then the hardware token still blinks and yet I still cannot authenticate
>without touching it.  Perhaps I have overlooked something?

In addition to "no-touch-required" in ~/.ssh/authorized_keys, the 
key itself needs to be created with ssh-keygen -O no-touch-required.


More information about the openssh-unix-dev mailing list