Fido2 and Fingerprint scan vs touch

Jeremy Hansen jeremy at skidrow.la
Mon Oct 11 14:49:29 AEDT 2021


Yes, I did precisely this. This is how I generated my key:

ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico

Does the verify-required in this case only function if you’re using resident keys? I guess that would make sense but this assumes the user is using ssh-add -K. Basically I don’t want a user to be able to gain access unless they verify with a fingerprint from the security key. No other options should be available to get around verifying with a valid fingerprint from the sk. If someone loses a key and it’s found, I want it to be useless unless someone chops off my finger.

Thanks!
-jeremy

> On Sunday, Oct 10, 2021 at 8:18 PM, Damien Miller <djm at mindrot.org (mailto:djm at mindrot.org)> wrote:
> On Sun, 10 Oct 2021, Jeremy Hansen wrote:
>
> > I’m evaluating the new Yubikey Bio keys and there’s some issues I
> > don’t quite understand regarding presense touch and actual finger
> > print verification.
> >
> > If I load the resident key (i.e. ssh-add -K), things seem to work
> > as expected and the wrong finger print results in dropping down to
> > another authentication method.
> >
> > If I don’t use ssh-add -K, then it seems ssh only verifies presense.
> > I basically want to enforce proper fingerprint recognition always. Is
> > there a way to do this?
>
> Yes, you need to specify -Overify-required on the ssh-keygen command-
> line when generating the key.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 852 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211010/3fb6e25f/attachment.asc>


More information about the openssh-unix-dev mailing list