no-touch-required seems ignored in new and old clients

Lars Noodén lars.nooden at
Wed Apr 14 18:48:16 AEST 2021

On 4/14/21 11:34 AM, pedro martelletto wrote:
>> It seems that touch is required with the both old and the new clients
>> regardless of whether no-touch-required is in place in authorized_keys
>> or not.
[snip]> In addition to "no-touch-required" in ~/.ssh/authorized_keys,
the key
> itself needs to be created with ssh-keygen -O no-touch-required.

Thanks.  That was it.  Perhaps that part of the manual page for ssh(8)
could be appended something like this:

             Do not require demonstration of user presence for
             signatures made using this key.  This option only
             makes sense for the FIDO authenticator algorithms
             ecdsa-sk and ed25519-sk.  Furthermore, a prerequisite
             for this option is that the keys are created
             with the -O no-touch-required option.

I notice that the converse problem also occurs: if the key was generated
with -O no-touch-required, it will not authenticate if no-touch-required
is not part of the key in authorized_keys.


More information about the openssh-unix-dev mailing list