I?m trying to understand why my fido2 configuration only asks for a PIN sometimes? Is there a way to force it to ask for PIN every time? jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:34 2022 from 192.168.10.95 [root at test ~]# logout Connection to test.domain.intra closed. jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:40 2022 from 192.168.10.95 [root at test ~]# logout Connection to test.domain.intra closed. jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:44 2022 from 192.168.10.95 [root at test ~]# logout Connection to test.domain.intra closed. jeremy at macbook-pro ~ % ssh -A -l root -i ~/.ssh/id_ed25519_sk test.domain.intra Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc Enter PIN for ED25519-SK key /Users/jeremy/.ssh/id_ed25519_sk: Confirm user presence for key ED25519-SK SHA256:8KYU2Ekxqudg3lwWiSvR9haxH9rNZKPEzKykKLA3jvc User presence confirmed Last login: Thu Aug 25 01:56:47 2022 from 192.168.10.95 [root at test ~]# and when it does actually ask for PIN, it follows the PIN entry up with another touch request. Server is 8.8p1, client is 9.0p1. Distro is CentOS 8.6 on the server and MacOS on the client. Thanks -jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220824/bae5bf4a/attachment.asc>
On Thu, Aug 25, 2022, at 7:59 AM, Jeremy Hansen wrote:> I?m trying to understand why my fido2 configuration only asks for a PIN > sometimes? > > Is there a way to force it to ask for PIN every time?Hi Jeremy, Which FIDO2 authenticator are you using? -p.