Thanks Christian for your answer. However, it seems to me you are contradicting yourself. First, you argue that the reason why not to put FIDO RK handle into pub stored on the server is because this makes it impossible to log in with a stolen authenticator (unless you have the corresponding sk file). Later you argue that using ssh -K to download the FIDO handle is safe because this is allowed only when a correct PIN/fingerprint is provided. Why a correct PIN/fingerprint argument cannot be used for the first point? We are working under assumption that a stolen authenticator is useless (to use with SSH) without providing the correct PIN/fingerprint. Also it seems you ignored the part saying: > I see no justifiable reason why to load resident keys from a FIDO authenticator to the SSH client computer, which is what `ssh-add -K` does. The normal way to work with resident credentials is to specify the RP ID `ssh:` in the authentication request to the authenticator. but that might be probably related to the point I raised above indicating you are working with different set of assumptions than we are. -- Best Regards / S pozdravom, Pavol "Stick" Rusnak Co-Founder, SatoshiLabs _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
