verify-required: ssh-keygen manpage ambiguity
Lukas Ribisch
lukas at lxgr.net
Sat Jan 11 11:10:46 AEDT 2025
On Fri, Jan 10, 2025 at 6:45 PM Christian Weisgerber <naddy at mips.inka.de> wrote:
>
> Lukas Ribisch:
>
> > Based on my understanding of the FIDO protocol, user verification is
> > independently requested during key creation and verification via
> > server (i.e.relying party in FIDO/WebAuthN terminology) side flags,
> > i.e. "user verification required" is not a per-key/credential, but
> > rather a per-operation property.
>
> CTAP 2.1 has a Credential Protection feature which allows a newly
> created credential to be mandatorily protected by the authenticator
> through some form of user verification, e.g. PIN entry. This is
> requested by ssh-keygen when generating a key with the verify-required
> option, see sk_enroll() in sk-usbhid.c.
>
Ah, and it looks like ssh-keygen then errors out if this option is
requested but not supported by a given authenticator.
Thank you, appreciate it!
Best,
Lukas
More information about the openssh-unix-dev
mailing list