I?m evaluating the new Yubikey Bio keys and there?s some issues I don?t quite understand regarding presense touch and actual finger print verification. If I load the resident key (i.e. ssh-add -K), things seem to work as expected and the wrong finger print results in dropping down to another authentication method. If I don?t use ssh-add -K, then it seems ssh only verifies presense. I basically want to enforce proper fingerprint recognition always. Is there a way to do this? Thank you -jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211010/ca4c1693/attachment.asc>
On Sun, 10 Oct 2021, Jeremy Hansen wrote:> I?m evaluating the new Yubikey Bio keys and there?s some issues I > don?t quite understand regarding presense touch and actual finger > print verification. > > If I load the resident key (i.e. ssh-add -K), things seem to work > as expected and the wrong finger print results in dropping down to > another authentication method. > > If I don?t use ssh-add -K, then it seems ssh only verifies presense. > I basically want to enforce proper fingerprint recognition always. Is > there a way to do this?Yes, you need to specify -Overify-required on the ssh-keygen command- line when generating the key. -d
On Sun, Oct 10, 2021 at 7:52 PM Jeremy Hansen <jeremy at skidrow.la> wrote:> > I?m evaluating the new Yubikey Bio keys and there?s some issues I don?t quite understand regarding presense touch and actual finger print verification.Don't put too much confidence in those. There have been only incremental improvements in fingerprint sensors in the last 20 years, and infamous "gummi finger" paper is still valid. See https://cryptome.org/gummy.htm, or the mythbusters episode, or test your sensor yourself with printed fingerprints.