On Sun, 10 Oct 2021, Jeremy Hansen wrote:
> [29D47EC3B2713CA8C4D5C6ED2F759D39_77C7A61CC2EBEA004F2B6E158E046CC9.png] Yes,
> I did precisely this. This is how I generated my key:
>
> ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico
>
> Does the verify-required in this case only function if you’re using resident
> keys? I guess that would make sense but this assumes the user is using
> ssh-add -K. Basically I don’t want a user to be able to gain access unless
> they verify with a fingerprint from the security key. No other options
> should be available to get around verifying with a valid fingerprint from
> the sk. If someone loses a key and it’s found, I want it to be useless
> unless someone chops off my finger.
Fist, there's actually a bug in ssh that causes it to prompt for PIN
unconditionally (see below)
Second, AFAIK biometrics and PIN does through the same "UV" (user-
verified) path in FIDO authenticators, so a PIN may be used as a
substitute for a fingerprint. AFAIK whether this happens is up to
the token itself.
Index: sshconnect2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.351
diff -u -p -r1.351 sshconnect2.c
--- sshconnect2.c 23 Jul 2021 05:24:02 -0000 1.351
+++ sshconnect2.c 11 Oct 2021 04:45:18 -0000
@@ -1256,7 +1256,7 @@ identity_sign(struct identity *id, u_cha
}
sign_key = prv;
if (sshkey_is_sk(sign_key)) {
- if ((sign_key->sk_flags &
+ if (retried && (sign_key->sk_flags &
SSH_SK_USER_VERIFICATION_REQD)) {
retry_pin:
xasprintf(&prompt, "Enter PIN for %s key %s: ",
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
