Yes, I did precisely this. This is how I generated my key: ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico Does the verify-required in this case only function if you’re using resident keys? I guess that would make sense but this assumes the user is using ssh-add -K. Basically I don’t want a user to be able to gain access unless they verify with a fingerprint from the security key. No other options should be available to get around verifying with a valid fingerprint from the sk. If someone loses a key and it’s found, I want it to be useless unless someone chops off my finger. Thanks! -jeremy > On Sunday, Oct 10, 2021 at 8:18 PM, Damien Miller <djm@xxxxxxxxxxx (mailto:djm@xxxxxxxxxxx)> wrote: > On Sun, 10 Oct 2021, Jeremy Hansen wrote: > > > I’m evaluating the new Yubikey Bio keys and there’s some issues I > > don’t quite understand regarding presense touch and actual finger > > print verification. > > > > If I load the resident key (i.e. ssh-add -K), things seem to work > > as expected and the wrong finger print results in dropping down to > > another authentication method. > > > > If I don’t use ssh-add -K, then it seems ssh only verifies presense. > > I basically want to enforce proper fingerprint recognition always. Is > > there a way to do this? > > Yes, you need to specify -Overify-required on the ssh-keygen command- > line when generating the key. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
