On 4/14/21 11:34 AM, pedro martelletto wrote:
>> It seems that touch is required with the both old and the new clients
>> regardless of whether no-touch-required is in place in authorized_keys
>> or not.
[snip]> In addition to "no-touch-required" in ~/.ssh/authorized_keys,
the key
> itself needs to be created with ssh-keygen -O no-touch-required.
Thanks. That was it. Perhaps that part of the manual page for ssh(8)
could be appended something like this:
no-touch-required
Do not require demonstration of user presence for
signatures made using this key. This option only
makes sense for the FIDO authenticator algorithms
ecdsa-sk and ed25519-sk. Furthermore, a prerequisite
for this option is that the keys are created
with the -O no-touch-required option.
I notice that the converse problem also occurs: if the key was generated
with -O no-touch-required, it will not authenticate if no-touch-required
is not part of the key in authorized_keys.
/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
