https://bugzilla.mindrot.org/show_bug.cgi?id=3572
xspielinbox+mind...@protonmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xspielinbox+mindrot@protonm | |ail.com --- Comment #1 from xspielinbox+mind...@protonmail.com --- I came across the same issue using Fedora Linux 38 with OpenSSH_9.0p1, OpenSSL 3.0.9 and a YubiKey 5 NFC with firmware version 5.2.7 and libfido2 1.12.0-3.fc38 When creating the ssh-key of type ed25519-sk (regardless of the options given) it asks for the FIDO pin of the security key. In the default config (which uses an ssh-agent) it does never thereafter again ask for the FIDO pin of the security key, no matter how it has been created (resident or not; with verify-required or not). When explicitly running ssh with an invalid ssh-agent socket, it does correctly ask for the pin, if the key has been created with verify-required, but not if it hasn't: $ SSH_AUTH_SOCK=/tmp/ssh.sock ssh user@host -i id_ed25519_sk_verify Enter PIN for ED25519-SK key id_ed25519_sk_verify: Confirm user presence for key ED25519-SK SHA256:[...] $ SSH_AUTH_SOCK=/tmp/ssh.sock ssh user@host -i id_ed25519_sk Confirm user presence for key ED25519-SK SHA256:[...] When using a key without verify-required with the default ssh-agent config and specifying verify-required in the authorized_keys of the target system, it does correctly deny the key with 'debug3: receive packet: type 51', though this is an pretty ambiguous failure message... All in all, I can reproduce the reproduce the reported issue. To an user at first it seems like the verify-required option is useless or broken, as is does not change anything. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs