| Summary: | Support biometric user validation | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Andreas <pflug> |
| Component: | ssh-keygen | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | NEW --- | ||
| Severity: | enhancement | CC: | djm |
| Priority: | P5 | ||
| Version: | 8.4p1 | ||
| Hardware: | All | ||
| OS: | All | ||
|
Description
Andreas
2020-10-03 03:39:43 AEST
I'd like to see this too - I'm trying to obtain hardware to help implement it. I have tested against a pre-release Yubikey bio and the biometric authentication does work - it will set the "user verified" flag in the signature without needing a PIN. Assuming your device works similarly, then simply adding "verify-required" to your key lines in ~/.ssh/authorized_keys should be sufficient. Just to clarify: you don't need to set verify-required when *generating* the key Tested "verify-required" as option in authorized_keys, but get "Permission denied" then. The key is blinking light-blue, indicating FIDO2 mode without fingerprint verification, while it should blink dark-blue, using FPV. Taken from earlier conversation with trustkey, it appears that ssh doesn't request the key to fp-verify. I'd expect the ssh client to request FPV when the server has the option verify-required present. AFAIK there is no FIDO flag that we can set to request biometric verification. There is a concept of "user verification", but that is commingled with PIN verification. If you can figure out what flags your webauthn endpoint is setting then it might be possible to replicate them. It is possible that it is using a vendor extension for your key in particular... |