FIDO prompts weirdness?

Jochen Bern Jochen.Bern at
Thu Aug 18 18:36:16 AEST 2022

On 17.08.22 12:22, Corinna Vinschen wrote:
> So the PIN prompt identifies the key by filename, while the user
> presence prompt identifies the key by its fingerprint.
> Isn't that a bit puzzeling to the user?  Wouldn't it make more sense to
> use the same identification string, be it either the filename, or the
> fingerprint, but not both?
> If my question makes any sense at all, I would prefer the filename.
> It's much easier to recognize than a fingerprint.

There actually is a more general context (beyond FIDO and other secure 
storage forms of keypairs) to that. Observe:

> $ ssh-add .ssh/id_ed25519
> Enter passphrase for .ssh/id_ed25519: 
> Identity added: .ssh/id_ed25519 (Jochen.Bern+ed25519 at

> $ ssh-add -l
> 256 SHA256:hs4PHi7JJYXm+7jRxoHy2PYmBlVQNZw7eRYba3IExss Jochen.Bern+ed25519 at (ED25519)

So, file, file+comment, (size+)fingerprint+comment(+type).

Of course, as soon as an SSH agent comes into play, the name of the file 
the (priv)key(pair) was originally loaded from is likely forgotten. Or, 
if the agent is forwarded, outright meaningless. And we all know that 
the comment is trivial to change (the key type wasn't in there when I 
*created* the keypairs, I added it when I found that it helps telling 
multiple keypairs apart when sshaskpass makes an appearance - stating 
comment+fingerprint). Which currently leaves the fingerprint as the 
"best to handle"¹ *immutable* ID ...

(¹ Think "sshaskpass and a) entire pubkey in hex or b) ASCII art")

Jochen Bern

Binect GmbH

More information about the openssh-unix-dev mailing list