bugzilla-daemon at mindrot.org
2020-Oct-02 17:39 UTC
[Bug 3218] New: Support fingerprint user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 Bug ID: 3218 Summary: Support fingerprint user validation Product: Portable OpenSSH Version: 8.4p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: pflug at pse-consulting.de I'm using a Trustkey G310. On Webauthn enabled sites (e.g. Bitwarden), the key requires a valid fingerprint to authenticate, effectively making the key two factors at once. While -O verify-required does validate against the key's PIN, it doesn't request fingerprint verification. I'd like to see the fingerprint user validation to be supported. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:01 UTC
[Bug 3218] Support fingerprint user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- I'd like to see this too - I'm trying to obtain hardware to help implement it. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-08 02:59 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Support fingerprint user |Support biometric user |validation |validation -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-08 03:39 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 --- Comment #2 from Damien Miller <djm at mindrot.org> --- I have tested against a pre-release Yubikey bio and the biometric authentication does work - it will set the "user verified" flag in the signature without needing a PIN. Assuming your device works similarly, then simply adding "verify-required" to your key lines in ~/.ssh/authorized_keys should be sufficient. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-08 03:41 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Just to clarify: you don't need to set verify-required when *generating* the key -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-08 09:56 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 --- Comment #4 from Andreas <pflug at pse-consulting.de> --- Tested "verify-required" as option in authorized_keys, but get "Permission denied" then. The key is blinking light-blue, indicating FIDO2 mode without fingerprint verification, while it should blink dark-blue, using FPV. Taken from earlier conversation with trustkey, it appears that ssh doesn't request the key to fp-verify. I'd expect the ssh client to request FPV when the server has the option verify-required present. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-08 12:20 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 --- Comment #5 from Damien Miller <djm at mindrot.org> --- AFAIK there is no FIDO flag that we can set to request biometric verification. There is a concept of "user verification", but that is commingled with PIN verification. If you can figure out what flags your webauthn endpoint is setting then it might be possible to replicate them. It is possible that it is using a vendor extension for your key in particular... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 07:30 UTC
[Bug 3218] Support biometric user validation
https://bugzilla.mindrot.org/show_bug.cgi?id=3218 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #6 from Damien Miller <djm at mindrot.org> --- closed for lack of followup; biometric keys from other vendors (e.g. yubikey) are known to work -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- Announce: OpenSSH 8.4 released
- CentOS newbie just saying hello
- [Bug 3748] New: "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
- [Bug 3226] New: Feature request: Prempt fingerprint prompt when connecting to new server
- [Bug 2493] New: Accept host key fingerprint as the same as 'yes'