It seems that touch is required with the both old and the new clients regardless of whether no-touch-required is in place in authorized_keys or not. At least that the case when using ed25519-sk keys for authentication because when I have a key in place in the server account's ~/.ssh/authorized_keys like this: sk-ssh-ed25519 at openssh.com AAAAGnNrLXNzaC...NzaDo I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g. OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to complete the authentication. According to the manual page for sshd(8), "no-touch-required" should eliminate the need to verify physical presence through touching the hardware token. However if I set a key in place in the server account's ~/.ssh/authorized_keys like this: no-touch-required sk-ssh-ed25519 at openssh.com AAAAGnNrLXNzaC...NzaDo then the hardware token still blinks and yet I still cannot authenticate without touching it. Perhaps I have overlooked something? /Lars
pedro martelletto
2021-Apr-14 08:34 UTC
no-touch-required seems ignored in new and old clients
>It seems that touch is required with the both old and the new clients >regardless of whether no-touch-required is in place in authorized_keys >or not. > >At least that the case when using ed25519-sk keys for authentication >because when I have a key in place in the server account's >~/.ssh/authorized_keys like this: > >sk-ssh-ed25519 at openssh.com AAAAGnNrLXNzaC...NzaDo> >I can connect using either old (e.g. 8.4p1-5ubuntu1) or new (e.g. >OpenSSH_8.5, LibreSSL 3.3.2) but have to touch the hardware token to >complete the authentication. > >According to the manual page for sshd(8), "no-touch-required" should >eliminate the need to verify physical presence through touching the >hardware token. However if I set a key in place in the server account's >~/.ssh/authorized_keys like this: > >no-touch-required sk-ssh-ed25519 at openssh.com AAAAGnNrLXNzaC...NzaDo> >then the hardware token still blinks and yet I still cannot authenticate >without touching it. Perhaps I have overlooked something?In addition to "no-touch-required" in ~/.ssh/authorized_keys, the key itself needs to be created with ssh-keygen -O no-touch-required. -p.