Fido2 and Fingerprint scan vs touch

Damien Miller djm at
Mon Oct 11 14:18:38 AEDT 2021

On Sun, 10 Oct 2021, Jeremy Hansen wrote:

> I’m evaluating the new Yubikey Bio keys and there’s some issues I
> don’t quite understand regarding presense touch and actual finger
> print verification.
> If I load the resident key (i.e. ssh-add -K), things seem to work
> as expected and the wrong finger print results in dropping down to
> another authentication method.
> If I don’t use ssh-add -K, then it seems ssh only verifies presense.
> I basically want to enforce proper fingerprint recognition always. Is
> there a way to do this?

Yes, you need to specify -Overify-required on the ssh-keygen command-
line when generating the key. 


More information about the openssh-unix-dev mailing list