Confirm user presence via ssh-agent protocol?
Damien Miller
djm at mindrot.org
Fri Dec 5 12:58:01 AEDT 2025
On Thu, 4 Dec 2025, Jesse Hathaway via openssh-unix-dev wrote:
> I have recently switched to using a FIDO backed ssh key which requires a
> touch for each key operation. I was surprised to discover that no
> feedback is supplied on the terminal to indicate that a touch is
> required, instead the connection appears to simply hang. After a bit of
> research my understanding is that at present there is no mechanism for
> an ssh-agent to indicate to the ssh client that a touch is
> required[1] to continue.
>
> I realize there are other ways to notify that a touch is required,
> including using another agent, or monitoring the FIDO device directly,
> as yubikey-touch-detector does.
ssh-agent can signal that a touch (or PIN) is required via $SSH_ASKPASS.
> However, I would really prefer a message
> in my terminal. Would it be possible to add a new ssh-agent protocol
> message to indicate that a touch is required?
It's not an easy thing to fit into ssh-agent, the FIDO layer or the
protocol unfortunately.
-d
More information about the openssh-unix-dev
mailing list