Fido2 sometimes prompts for PIN

Jeremy Hansen jeremy at skidrow.la
Thu Aug 25 15:59:50 AEST 2022 

I’m trying to understand why my fido2 configuration only asks for a PIN sometimes…

Is there a way to force it to ask for PIN every time?

jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:34 2022 from 192.168.10.95
[root at test ~]# logout
Connection to test.domain.intra closed.
jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:40 2022 from 192.168.10.95
[root at test ~]# logout
Connection to test.domain.intra closed.
jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:44 2022 from 192.168.10.95
[root at test ~]# logout
Connection to test.domain.intra closed.
jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
Enter PIN for ED25519-SK key /Users/jeremy/.ssh/id_ed25519_sk:
Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc
User presence confirmed
Last login: Thu Aug 25 01:56:47 2022 from 192.168.10.95
[root at test ~]#

and when it does actually ask for PIN, it follows the PIN entry up with another touch request.

Server is 8.8p1, client is 9.0p1.

Distro is CentOS 8.6 on the server and MacOS on the client.

Thanks
-jeremy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220824/bae5bf4a/attachment.asc>

More information about the openssh-unix-dev mailing list