It seems that touch is required with the both old and the new clients regardless of whether no-touch-required is in place in authorized_keys or not. At least that the case when using ed25519-sk keys for authentication because when I have a key in place in the server account's ~/.ssh/authorized_keys like this: sk-ssh-ed25519@xxxxxxxxxxx AAAAGnNrLXNzaC...NzaDo= I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g. OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to complete the authentication. According to the manual page for sshd(8), "no-touch-required" should eliminate the need to verify physical presence through touching the hardware token. However if I set a key in place in the server account's ~/.ssh/authorized_keys like this: no-touch-required sk-ssh-ed25519@xxxxxxxxxxx AAAAGnNrLXNzaC...NzaDo= then the hardware token still blinks and yet I still cannot authenticate without touching it. Perhaps I have overlooked something?
In addition to "no-touch-required" in ~/.ssh/authorized_keys, the key itself needs to be created with ssh-keygen -O no-touch-required.
-p. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev