Fido2 and Fingerprint scan vs touch

Damien Miller djm at
Mon Oct 11 15:49:21 AEDT 2021

On Sun, 10 Oct 2021, Jeremy Hansen wrote:

> [29D47EC3B2713CA8C4D5C6ED2F759D39_77C7A61CC2EBEA004F2B6E158E046CC9.png] Yes,
> I did precisely this.  This is how I generated my key:
> ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico
> Does the verify-required in this case only function if you’re using resident
> keys?  I guess that would make sense but this assumes the user is using
> ssh-add -K.  Basically I don’t want a user to be able to gain access unless
> they verify with a fingerprint from the security key.  No other options
> should be available to get around verifying with a valid fingerprint from
> the sk.  If someone loses a key and it’s found, I want it to be useless
> unless someone chops off my finger.

Fist, there's actually a bug in ssh that causes it to prompt for PIN
unconditionally (see below)

Second, AFAIK biometrics and PIN does through the same "UV" (user-
verified) path in FIDO authenticators, so a PIN may be used as a
substitute for a fingerprint. AFAIK whether this happens is up to
the token itself.

Index: sshconnect2.c
RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.351
diff -u -p -r1.351 sshconnect2.c
--- sshconnect2.c	23 Jul 2021 05:24:02 -0000	1.351
+++ sshconnect2.c	11 Oct 2021 04:45:18 -0000
@@ -1256,7 +1256,7 @@ identity_sign(struct identity *id, u_cha
 		sign_key = prv;
 		if (sshkey_is_sk(sign_key)) {
-			if ((sign_key->sk_flags &
+			if (retried && (sign_key->sk_flags &
 				xasprintf(&prompt, "Enter PIN for %s key %s: ",

More information about the openssh-unix-dev mailing list