FIDO prompts weirdness?
vinschen at redhat.com
Wed Aug 17 20:22:31 AEST 2022
while working on the WinHello extension to OpenSSH, I just noticed for
the first time that the prompts for a key differ in how they identify
$ ./ssh server
Enter PIN for ED25519-SK key /home/user/.ssh/id_ed25519_sk:
Confirm user presence for key ED25519-SK SHA256:DHNZMpmDM7HQLUgdn6JUgUf6wwuC4DHsnrmXubxfs98
So the PIN prompt identifies the key by filename, while the user
presence prompt identifies the key by its fingerprint.
Isn't that a bit puzzeling to the user? Wouldn't it make more sense to
use the same identification string, be it either the filename, or the
fingerprint, but not both?
If my question makes any sense at all, I would prefer the filename.
It's much easier to recognize than a fingerprint.
More information about the openssh-unix-dev