Hello, In testing security key support in OpenSSH 8.2, I had some trouble making the “no-touch-required” option in the authorized_keys file work in conjunction with OpenSSH certificates. I think I’ve figured it out, but I think there may be a bug in ssh-keygen related to this. To make “no-touch-required” work with certificates, I actually had to do three things: Generate the security key with touch disabled Add “no-touch-required” as an extension when generating the certificate for this key Add “no-touch-required” (along with “cert-authority”) in the authorized key entry on the server for the CA which signed the certificate I would have expected that trusting a CA in authorized_keys along with the certificate having “no-touch-required” set to be enough to accept the key, without having to further override that explicitly in the authorized_keys entry. However, I can accept that you might want extra confirmation on the server that this certificate option should be trusted. Alternately, once that option was set in authorized_keys, I would have expected keys which don’t require presence to be accepted even without the certificate “no-touch-required” being set, similar to the non-certificate case. Is that the intended behavior, to reject keys without presence unless BOTH options are set (in addition to the key itself not requiring presence)? The other issue I ran across is that specifying “-O no-touch-required” when generating the certificate didn’t work, despite that being documented in the man page. It appears that ssh-keygen treats this keyword as an unknown “critical” value, rather than an “extension”. So, the generated certificate ended up looking something like: Critical Options: no-touch-required UNKNOWN OPTION (len 0) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc To get it to be an extension, I had to use “-O extension:no-touch-required” as the option to ssh-keygen. Then, I saw: Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc no-touch-required I’m guessing this is not the intended behavior, and that “no-touch-required” should have been recognized as an extension without the “extension:” prefix, just like the other options such as “no-agent-forwarding”. -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev