FIDO prompts weirdness?

Corinna Vinschen vinschen at
Wed Aug 17 20:22:31 AEST 2022


while working on the WinHello extension to OpenSSH, I just noticed for
the first time that the prompts for a key differ in how they identify
the key:

$ ./ssh server
Enter PIN for ED25519-SK key /home/user/.ssh/id_ed25519_sk:
Confirm user presence for key ED25519-SK SHA256:DHNZMpmDM7HQLUgdn6JUgUf6wwuC4DHsnrmXubxfs98

So the PIN prompt identifies the key by filename, while the user
presence prompt identifies the key by its fingerprint.

Isn't that a bit puzzeling to the user?  Wouldn't it make more sense to
use the same identification string, be it either the filename, or the
fingerprint, but not both?

If my question makes any sense at all, I would prefer the filename.
It's much easier to recognize than a fingerprint.


More information about the openssh-unix-dev mailing list