I’m trying to understand why my fido2 configuration only asks for a PIN sometimes… Is there a way to force it to ask for PIN every time? jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:34 2022 from 192.168.10.95 [root@test ~]# logout Connection to test.domain.intra closed. jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:40 2022 from 192.168.10.95 [root@test ~]# logout Connection to test.domain.intra closed. jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:44 2022 from 192.168.10.95 [root@test ~]# logout Connection to test.domain.intra closed. jeremy@macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc Enter PIN for ED25519-SK key /Users/jeremy/.ssh/id_ed25519_sk: Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:47 2022 from 192.168.10.95 [root@test ~]# and when it does actually ask for PIN, it follows the PIN entry up with another touch request. Server is 8.8p1, client is 9.0p1. Distro is CentOS 8.6 on the server and MacOS on the client. Thanks -jeremy
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
